<p>Upgrade <code>github.com/cometbft/cometbft/blocksync</code> to version 0.37.7, 0.38.8 or higher.</p>

=0.38.0 <0.38.8

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-GOLANG-GITHUBCOMCOMETBFTCOMETBFTBLOCKSYNC-7413595
published 30 Jun 2024
disclosed 28 Jun 2024
credit unknownfeature

Report a new vulnerability Found a mistake?

Introduced: 28 Jun 2024

CWE-610 Open this link in a new tab

How to fix?

Upgrade github.com/cometbft/cometbft/blocksync to version 0.37.7, 0.38.8 or higher.

Overview

Affected versions of this package are vulnerable to Externally Controlled Reference to a Resource in Another Sphere during the blocksync process. An attacker can disrupt the normal operation and cause the system to enter an unstable state or get stuck by manipulating the data sent during the synchronization process. This is only exploitable if the node is syncing from a malicious peer.

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)

Adjacent
Attack Complexity (AC)

High
Attack Requirements (AT)

None
Privileges Required (PR)

None
User Interaction (UI)

None

Confidentiality (VC)

None
Integrity (VI)

None
Availability (VA)

High

Confidentiality (SC)

None
Integrity (SI)

None
Availability (SA)

None

Externally Controlled Reference to a Resource in Another Sphere Affecting github.com/cometbft/cometbft/blocksync package, versions <0.37.7 >=0.38.0 <0.38.8

Severity

CVSS assessment made by Snyk's Security Team

Introduced: 28 Jun 2024

How to fix?

Overview

References

CVSS Scores

Snyk