Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: CVE-2021-41135 #255

Closed
GoVulnBot opened this issue Jan 7, 2022 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: CVE-2021-41135 #255

GoVulnBot opened this issue Jan 7, 2022 · 2 comments
Assignees
@neild
Labels
cve-year-2021 excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

In CVE-2021-41135, the reference URL github.com/cosmos/cosmos-sdk (and possibly others) refers to something in Go.

module: github.com/cosmos/cosmos-sdk
package: cosmos-sdk
description: |
  The Cosmos-SDK is a framework for building blockchain applications in Golang. Affected versions of the SDK were vulnerable to a consensus halt due to non-deterministic behaviour in a ValidateBasic method in the x/authz module. The MsgGrant of the x/authz module contains a Grant field which includes a user-defined expiration time for when the authorization grant expires. In Grant.ValidateBasic(), that time is compared to the node’s local clock time. Any chain running an affected version of the SDK with the authz module enabled could be halted by anyone with the ability to send transactions on that chain. Recovery would require applying the patch and rolling back the latest block. Users are advised to update to version 0.44.2.
cves:
- CVE-2021-41135
links:
  commit: https://github.com/cosmos/cosmos-sdk/commit/68ab790a761e80d3674f821794cf18ccbfed45ee
  context:
  - https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349
  - https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-2p6r-37p9-89p2

See doc/triage.md for instructions on how to triage this report.
@julieqiu julieqiu assigned julieqiu and rolandshoemaker and unassigned julieqiu Jan 7, 2022
@neild
Copy link
Contributor

neild commented Jul 1, 2022

This repository can't be imported, because it uses a replace directive in its go.mod to target a nonexistent version of github.com/gogo/protobuf:

replace github.com/gogo/protobuf => github.com/regen-network/protobuf v1.3.3-alpha.regen.1

Going to close this as non-actionable.

@neild neild closed this as completed Jul 1, 2022
@neild neild self-assigned this Jul 1, 2022
@neild neild added excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. and removed NotGoVuln labels Aug 11, 2022
@GoVulnBot GoVulnBot mentioned this issue Jun 2, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Jun 22, 2023
Closed
This was referenced Jun 30, 2023
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Sep 6, 2023
Closed
This was referenced Feb 21, 2024
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Mar 12, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592766 mentions this issue: data/reports: unexclude 50 reports

@GoVulnBot GoVulnBot mentioned this issue Dec 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
cve-year-2021 excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@neild @rolandshoemaker @julieqiu @gopherbot @GoVulnBot