You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/cheqd/cheqd-node
versions:
- fixed: 1.4.4
packages:
- package: github.com/cheqd/cheqd-node
summary: cheqd-node subject to Cosmos SDK "Barberry" vulnerability
description: |
### Impact
This [vulnerability dubbed "Barberry" affects the Cosmos SDK framework](https://forum.cosmos.network/t/cosmos-sdk-security-advisory-barberry/10825) used by `cheqd-node` as base.
It impacts the way Cosmos SDK handles vesting accounts, and can therefore be a high-impact vulnerability for any network running the framework.
There is no vulnerability in the DID/resource modules for `cheqd-node`.
### Patches
Node operators are requested to upgrade to [cheqd-node v1.4.4](https://github.com/cheqd/cheqd-node/releases/tag/v1.4.4). This is not a state-breaking release and does not require a coordinated upgrade across all node operators.
This vulnerability was patched in [Cosmos SDK v0.46.13](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.13). Since this version switches to Go v1.19 and also changes the namespace of many Cosmos protobuf packages, the Barberry fix was [backported to cheqd's fork of Cosmos SDK](https://github.com/cheqd/cosmos-sdk/releases/tag/v0.46.10-barberry).
### Mitigation
When at least ~**33**% of the voting power of the network has deployed the recommended version of the software, any attack would be unsuccessful but cause a chain halt.
Once at least ~**67**% of the voting power of the network has deployed recommended version of the software, the attack would be unsuccessful _without_ a chain halt.
### Workarounds
No. Node operators are recommended to upgrade to the latest release version.
### References
- ["Barberry" vulnerability security advisory](https://forum.cosmos.network/t/cosmos-sdk-security-advisory-barberry/10825)
- [Cosmos SDK v0.46.13 release notes](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.13)
ghsas:
- GHSA-8qxh-2gh8-r923
references:
- advisory: https://github.com/cheqd/cheqd-node/security/advisories/GHSA-8qxh-2gh8-r923
- web: https://forum.cosmos.network/t/cosmos-sdk-security-advisory-barberry/10825
- web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.13
- advisory: https://github.com/advisories/GHSA-8qxh-2gh8-r923
The text was updated successfully, but these errors were encountered:
In GitHub Security Advisory GHSA-8qxh-2gh8-r923, there is a vulnerability in the following Go packages or modules:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: