Insufficient Verification of Data Authenticity Affecting github.com/cosmos/interchain-security/v5/x/ccv/provider/keeper package, versions >=2.4.0-lsm <4.0.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMCOSMOSINTERCHAINSECURITYV5XCCVPROVIDERKEEPER-7721058
- published 26 Aug 2024
- disclosed 19 Aug 2024
- credit Unknown
How to fix?
Upgrade github.com/cosmos/interchain-security/v5/x/ccv/provider/keeper
to version 4.0.0 or higher.
Overview
Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity due to a missing check in the cryptographic equivocation evidence handling process. An attacker can manipulate the blockchain's integrity by submitting crafted evidence that bypasses the height verification.