x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-8wcc-m6j2-qxvm

[GoVulnBot]

Advisory GHSA-8wcc-m6j2-qxvm references a vulnerability in the following Go modules:

Module
github.com/cosmos/cosmos-sdk

Description:

Summary

ASA-2024-0012

Name: ASA-2024-0012, Transaction decoding may result in a stack overflow
Component: Cosmos SDK
Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2)
Affected versions: cosmos-sdk versions <= v0.50.10, <= v0.47.14
Affected users: Chain Builders + Maintainers, Validators, node operators

ASA-2024-0013

Name: ASA-2024-0013: CosmosSDK: Transaction decoding may result in resource exhaustion
Component: Cosmos SDK
Criticality: High (Considerable Impact, ...

References:

• ADVISORY: GHSA-8wcc-m6j2-qxvm
• ADVISORY: GHSA-8wcc-m6j2-qxvm
• FIX: cosmos/cosmos-sdk@c6b1bdc
• WEB: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.15
• WEB: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.11

Cross references:

• github.com/cosmos/cosmos-sdk appears in 9 other report(s):
  • data/excluded/GO-2022-0255.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: CVE-2021-41135 #255) NOT_IMPORTABLE
  • data/excluded/GO-2023-2047.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-23px-mw2p-46qm #2047) NOT_IMPORTABLE
  • data/reports/GO-2023-1821.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-qfc5-6r3j-jj22 #1821)
  • data/reports/GO-2023-1861.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk #1861)
  • data/reports/GO-2023-1881.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-w5w5-2882-47pc #1881)
  • data/reports/GO-2024-2571.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-2557-x9mg-76w8 #2571)
  • data/reports/GO-2024-2572.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-4j93-fm92-rp4m #2572)
  • data/reports/GO-2024-2584.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-86h5-xcpx-cfqc #2584)
  • data/reports/GO-2024-2638.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-95rx-m9m5-m94v #2638)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cosmos/cosmos-sdk
      versions:
        - fixed: 0.47.15
        - introduced: 0.50.0-alpha.0
        - fixed: 0.50.11
      vulnerable_at: 0.50.10
summary: |-
    ASA-2024-0012, ASA-2024-0013: CosmosSDK: Transaction decoding may result in a
    stack overflow or resource exhaustion in github.com/cosmos/cosmos-sdk
ghsas:
    - GHSA-8wcc-m6j2-qxvm
references:
    - advisory: https://github.com/advisories/GHSA-8wcc-m6j2-qxvm
    - advisory: https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-8wcc-m6j2-qxvm
    - fix: https://github.com/cosmos/cosmos-sdk/commit/c6b1bdcd5628e3e425a3f02881d3c7db1d7af653
    - web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.15
    - web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.11
source:
    id: GHSA-8wcc-m6j2-qxvm
    created: 2024-12-16T20:03:17.990893449Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/636718 mentions this issue: data/reports: add GO-2024-3339

[gopherbot]

Change https://go.dev/cl/637980 mentions this issue: data/reports: review 2 reports