<p>Upgrade <code>github.com/cometbft/cometbft/light</code> to version 0.34.34, 0.37.11, 0.38.12 or higher.</p>

=0.38.0 <0.38.12

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-GOLANG-GITHUBCOMCOMETBFTCOMETBFTLIGHT-7897568
published 5 Sep 2024
disclosed 3 Sep 2024
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 3 Sep 2024

CWE-362 Open this link in a new tab

How to fix?

Upgrade github.com/cometbft/cometbft/light to version 0.34.34, 0.37.11, 0.38.12 or higher.

Overview

Affected versions of this package are vulnerable to Race Condition through the State object computation process. An attacker can cause a chain split by exploiting inconsistencies in the ProposerPriority field during state synchronization.

Note: This is only exploitable if validators run state sync using RPC nodes that are malicious or report invalid states for the proposer selection algorithm.

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

High
Attack Requirements (AT)

Present
Privileges Required (PR)

None
User Interaction (UI)

Passive

Confidentiality (VC)

None
Integrity (VI)

Low
Availability (VA)

Low

Confidentiality (SC)

Low
Integrity (SI)

Low
Availability (SA)

High

Race Condition Affecting github.com/cometbft/cometbft/light package, versions >=0.34.27-alpha.1 <0.34.34 >=0.37.0 <0.37.11 >=0.38.0 <0.38.12

Severity

CVSS assessment made by Snyk's Security Team

Introduced: 3 Sep 2024

How to fix?

Overview

References

CVSS Scores

Snyk