data/reports: add GO-2023-1883.yaml

jba · jba · commit b2bd8da5c287 · 2023-07-13T22:19:53.000Z
Aliases: CVE-2023-34451, GHSA-w24w-wp77-qffm Fixes #1883 Change-Id: I2d1dd45aaeee09f1128ce1cc8ef9c3dde50d2fdc Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/508455 Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2023-1883.json b/data/osv/GO-2023-1883.json
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2023-1883",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2023-34451",
+    "GHSA-w24w-wp77-qffm"
+  ],
+  "summary": "Denial of service via OOM in github.com/cometbft/cometbft",
+  "details": "A bug in the CometBFT middleware causes the mempool's two data structures to fall out of sync. This can lead to duplicate transactions that cannot be removed, even after they are committed in a block. The only way to remove the transaction is to restart the node. This can be exploited by an attacker to bring down a node by repeatedly submitting duplicate transactions.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/cometbft/cometbft",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.37.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cometbft/cometbft/mempool/v0",
+            "symbols": [
+              "CListMempool.CheckTx",
+              "CListMempool.resCbFirstTime",
+              "Reactor.ReceiveEnvelope"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/cometbft/cometbft/security/advisories/GHSA-w24w-wp77-qffm"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cometbft/cometbft/pull/890"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/tendermint/tendermint/pull/2778"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2023-1883"
+  }
+}
diff --git a/data/reports/GO-2023-1883.yaml b/data/reports/GO-2023-1883.yaml
@@ -0,0 +1,30 @@
+id: GO-2023-1883
+modules:
+    - module: github.com/cometbft/cometbft
+      versions:
+        - fixed: 0.37.2
+      vulnerable_at: 0.37.1
+      packages:
+        - package: github.com/cometbft/cometbft/mempool/v0
+          symbols:
+            - CListMempool.resCbFirstTime
+          derived_symbols:
+            - CListMempool.CheckTx
+            - Reactor.ReceiveEnvelope
+summary: Denial of service via OOM in github.com/cometbft/cometbft
+description: |-
+    A bug in the CometBFT middleware causes the mempool's two data structures to
+    fall out of sync. This can lead to duplicate transactions that cannot be
+    removed, even after they are committed in a block. The only way to remove
+    the transaction is to restart the node. This can be exploited by an attacker
+    to bring down a node by repeatedly submitting duplicate transactions.
+cves:
+    - CVE-2023-34451
+ghsas:
+    - GHSA-w24w-wp77-qffm
+references:
+    - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-w24w-wp77-qffm
+    - fix: https://github.com/cometbft/cometbft/pull/890
+    - fix: https://github.com/tendermint/tendermint/pull/2778
+notes:
+    - The advisory refers to versions beginning 0.34. The module at those versions requires a replace directive to be usable. There is a fix in 0.34.28.
