Skip to content

x/vulndb: potential Go vuln in github.com/CosmWasm/wasmd: GHSA-m3rh-cvr5-x6q4 #3059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
GoVulnBot opened this issue Aug 8, 2024 · 1 comment
Labels

Comments

@GoVulnBot
Copy link

Advisory GHSA-m3rh-cvr5-x6q4 references a vulnerability in the following Go modules:

Module
github.com/CosmWasm/wasmd

Description:
Component: wasmd
Criticality: Low (ACMv1: I:Moderate; L:Unlikely)
Patched versions: wasmd 0.52.0

In multiple wasmd message types it was possible to add a large number of addresses which might lead to unexpected resource consumption in ValidateBasic.

See CWA-2024-003 for more details.

References:

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/CosmWasm/wasmd
      versions:
        - fixed: 0.52.0
      vulnerable_at: 0.51.0
summary: CosmWasm wasmd has large address count in ValidateBasic in github.com/CosmWasm/wasmd
ghsas:
    - GHSA-m3rh-cvr5-x6q4
references:
    - advisory: https://github.com/CosmWasm/wasmd/security/advisories/GHSA-m3rh-cvr5-x6q4
    - advisory: https://github.com/advisories/GHSA-m3rh-cvr5-x6q4
    - fix: https://github.com/CosmWasm/wasmd/commit/76c0c061c9cb6b142163883e46c26d99384dc443
    - web: https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-003.md
source:
    id: GHSA-m3rh-cvr5-x6q4
    created: 2024-08-08T17:01:19.056726185Z
review_status: UNREVIEWED

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/605315 mentions this issue: data/reports: add 7 unreviewed reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants