Skip to content

x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-47ww-ff84-4jrg #3516

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GoVulnBot opened this issue Mar 12, 2025 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-47ww-ff84-4jrg #3516

GoVulnBot opened this issue Mar 12, 2025 · 1 comment
Assignees
@thatnealpatel
Labels
high priority triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-47ww-ff84-4jrg references a vulnerability in the following Go modules:

Module
github.com/cosmos/cosmos-sdk

Description:
Name: ISA-2025-002: x/group can halt when erroring in EndBlocker
Component: CosmosSDK
Criticality: High (Considerable Impact; Likely Likelihood per ACMv1.2)
Affected versions: <= v0.47.16, <= 0.50.12
Affected users: Validators, Full nodes, Users on chains that utilize the groups module
Cosmos SDK chains in unpatched releases that use the x/group module are affected.

Description

An issue was discovered in the groups module where malicious proposals would result in an errors triggered in the module's...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cosmos/cosmos-sdk
      non_go_versions:
        - introduced: TODO (earliest fixed "0.47.17", vuln range "<= 0.47.16")
        - introduced: TODO (earliest fixed "0.50.13", vuln range ">= 0.50.0-alpha.0, <= 0.50.12")
      vulnerable_at: 0.50.13
summary: 'Cosmos SDK: x/group can halt when erroring in EndBlocker in github.com/cosmos/cosmos-sdk'
ghsas:
    - GHSA-47ww-ff84-4jrg
references:
    - advisory: https://github.com/advisories/GHSA-47ww-ff84-4jrg
    - advisory: https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-47ww-ff84-4jrg
    - fix: https://github.com/cosmos/cosmos-sdk/commit/cbd69fb1f4fac418c1f8c6253f5f91fb1263776a
notes:
    - fix: 'module merge error: could not merge versions of module github.com/cosmos/cosmos-sdk: invalid or non-canonical semver version (found TODO (earliest fixed "0.47.17", vuln range "<= 0.47.16"))'
source:
    id: GHSA-47ww-ff84-4jrg
    created: 2025-03-12T20:01:25.252024527Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/657595 mentions this issue: data/reports: add 2 reports

@thatnealpatel thatnealpatel self-assigned this Mar 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thatnealpatel thatnealpatel

Labels
high priority triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @thatnealpatel @GoVulnBot