x/vulndb: potential Go vuln in github.com/cometbft/cometbft/light: GHSA-g5xx-c4hv-9ccc

[GoVulnBot]

Advisory GHSA-g5xx-c4hv-9ccc references a vulnerability in the following Go modules:

Module
github.com/cometbft/cometbft

Description:
Name: ASA-2024-009: State syncing validator from malicious node may lead to a chain split
Component: CometBFT
Criticality: Medium (ACMv1.2: I:Moderate; L: Possible)
Affected versions: >= 0.34.0, <= 0.34.33, >=0.37.0, <= 0.37.10, >= 0.38.0, <= 0.38.11

Summary

The state sync protocol retrieves a snapshot of the application and installs it in a fresh node. In order for this node to be ready to run consensus and block sync from the installed snapshot height, we also need to install a vali...

References:

• ADVISORY: GHSA-g5xx-c4hv-9ccc
• ADVISORY: GHSA-g5xx-c4hv-9ccc
• FIX: cometbft/cometbft@3937e00
• FIX: cometbft/cometbft@52c00a5

Cross references:

• github.com/cometbft/cometbft appears in 6 other report(s):
  • data/excluded/GO-2023-2092.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hq58-p9mv-338c #2092) NOT_A_VULNERABILITY
  • data/excluded/GO-2024-2585.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-555p-m4v6-cqxv #2585) NOT_A_VULNERABILITY
  • data/reports/GO-2023-1882.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34450 #1882)
  • data/reports/GO-2023-1883.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34451 #1883)
  • data/reports/GO-2024-2471.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-qr8r-m495-7hc4 #2471)
  • data/reports/GO-2024-2951.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hg58-rf2h-6rr7 #2951)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cometbft/cometbft
      versions:
        - fixed: 0.34.34
        - introduced: 0.37.0
        - fixed: 0.37.11
        - introduced: 0.38.0
        - fixed: 0.38.12
      non_go_versions:
        - introduced: 0.34.0
summary: CometBFT's state syncing validator from malicious node may lead to a chain split in github.com/cometbft/cometbft
ghsas:
    - GHSA-g5xx-c4hv-9ccc
references:
    - advisory: https://github.com/advisories/GHSA-g5xx-c4hv-9ccc
    - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-g5xx-c4hv-9ccc
    - fix: https://github.com/cometbft/cometbft/commit/3937e00a339ee6b861d75997b4f6c87d867b74f2
    - fix: https://github.com/cometbft/cometbft/commit/52c00a537f8f56ed94b4a5c8af6e3fecff468b55
notes:
    - fix: 'github.com/cometbft/cometbft: could not add vulnerable_at: module is not canonical at 1 version(s): 0.34.34 (canonical:github.com/tendermint/tendermint)'
source:
    id: GHSA-g5xx-c4hv-9ccc
    created: 2024-09-03T21:01:29.213306039Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/613258 mentions this issue: data/reports: add GO-2024-3112