Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/cheqd/cheqd-node: GHSA-7c94-gvvj-r3mg #1824

Closed
GoVulnBot opened this issue Jun 5, 2023 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/cheqd/cheqd-node: GHSA-7c94-gvvj-r3mg #1824

GoVulnBot opened this issue Jun 5, 2023 · 3 comments
Assignees
@neild
Labels
excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report. NeedsInvestigation

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-7c94-gvvj-r3mg, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/cheqd/cheqd-node 1.4.2 < 1.4.2

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/cheqd/cheqd-node
      versions:
        - fixed: 1.4.2
      packages:
        - package: github.com/cheqd/cheqd-node
summary: cheqd-node affected by Inter-blockchain Communication (IBC) protocol "Huckleberry" vulnerability
description: |
    ### Impact
    This vulnerability affects the [`ibc-go` package for those running full nodes, dubbed "Huckleberry"](https://forum.cosmos.network/t/ibc-security-advisory-huckleberry/10731). According to their advisory:

    > This issue is low-severity in general, and it has a low impact and likelihood of exploitation. Depending on how a full node is architected, this issue could potentially yield a high or critical severity vulnerability.

    There is no vulnerability in the DID/resource modules for cheqd-node.

    ### Patches
    Node operators are requested to upgrade to [cheqd-node v1.4.2](https://github.com/cheqd/cheqd-node/releases/tag/v1.4.2). This is a non-state breaking release, and does not require a coordinated upgrade across all node operators.

    ### Workarounds
    No. Node operators are recommended to upgrade to the latest release version.

    ### References
    - ["Huckleberry" IBC security advisory](https://forum.cosmos.network/t/ibc-security-advisory-huckleberry/10731)
    - [`ibc-go` v6.1.1 release notes](https://github.com/cosmos/ibc-go/releases/tag/v6.1.1)
ghsas:
    - GHSA-7c94-gvvj-r3mg
references:
    - advisory: https://github.com/cheqd/cheqd-node/security/advisories/GHSA-7c94-gvvj-r3mg
    - fix: https://github.com/cheqd/cheqd-node/commit/f325f5f250e150e3e76a5a557669f67b606e34e1
    - web: https://forum.cosmos.network/t/ibc-security-advisory-huckleberry/10731
    - web: https://github.com/cheqd/cheqd-node/releases/tag/v1.4.2
    - web: https://github.com/cosmos/ibc-go/releases/tag/v6.1.1
    - advisory: https://github.com/advisories/GHSA-7c94-gvvj-r3mg
@neild neild self-assigned this Jun 14, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/503555 mentions this issue: data/reports: add GO-2023-1824.yaml

@neild neild mentioned this issue Jun 14, 2023
Closed
@neild neild added the excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report. label Jun 14, 2023
@neild
Copy link
Contributor

neild commented Jun 14, 2023

Root vulnerability is #1860.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/503837 mentions this issue: data/excluded: batch add 21 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report. NeedsInvestigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @tatianab @gopherbot @GoVulnBot