Insufficient Verification of Data Authenticity Affecting github.com/cosmos/interchain-security/v5/x/ccv/provider/types package, versions >=5.1.0 <5.2.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMCOSMOSINTERCHAINSECURITYV5XCCVPROVIDERTYPES-7924790
- published 8 Sep 2024
- disclosed 6 Sep 2024
- credit Unknown
How to fix?
Upgrade github.com/cosmos/interchain-security/v5/x/ccv/provider/types
to version 5.2.0 or higher.
Overview
Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity due to missing validation on the ICS
side to check if the signer matches the provider address. This allows an attacker to opt-in, opt-out, change the commission rate, or change what public key a validator uses on a consumer chain.
References
CVSS Scores
version 3.1