Externally Controlled Reference to a Resource in Another Sphere Affecting github.com/cometbft/cometbft/blocksync package, versions <0.37.7>=0.38.0 <0.38.8
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMCOMETBFTCOMETBFTBLOCKSYNC-7413595
- published30 Jun 2024
- disclosed28 Jun 2024
- creditunknownfeature
Introduced: 28 Jun 2024
CVE NOT AVAILABLE CWE-610 Â (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade github.com/cometbft/cometbft/blocksync to version 0.37.7, 0.38.8 or higher.
Overview
Affected versions of this package are vulnerable to Externally Controlled Reference to a Resource in Another Sphere during the blocksync process. An attacker can disrupt the normal operation and cause the system to enter an unstable state or get stuck by manipulating the data sent during the synchronization process. This is only exploitable if the node is syncing from a malicious peer.