x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-p7mv-53f2-4cwj

[GoVulnBot]

Advisory GHSA-p7mv-53f2-4cwj references a vulnerability in the following Go modules:

Module
github.com/cometbft/cometbft

Description:
Name: ASA-2024-011: Vote Extensions: Panic when receiving a Pre-commit with an invalid data
Component: CometBFT
Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2)
Affected versions: >= 0.38.x, unreleased v1.x and main development branches
Affected users: Chain Builders + Maintainers, Validators

Impact

A CometBFT node running in a network with [vote extensions][abci-spec] enabled could produce an invalid Vote message and send it to its peers. The invalid field of the ...

References:

• ADVISORY: GHSA-p7mv-53f2-4cwj
• ADVISORY: GHSA-p7mv-53f2-4cwj
• WEB: https://docs.cometbft.com/v0.38/spec/abci/abci++_basic_concepts
• WEB: https://github.com/cometbft/cometbft/releases/tag/v0.38.15

Cross references:

• github.com/cometbft/cometbft appears in 7 other report(s):
  • data/excluded/GO-2023-2092.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hq58-p9mv-338c #2092) NOT_A_VULNERABILITY
  • data/excluded/GO-2024-2585.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-555p-m4v6-cqxv #2585) NOT_A_VULNERABILITY
  • data/reports/GO-2023-1882.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34450 #1882)
  • data/reports/GO-2023-1883.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34451 #1883)
  • data/reports/GO-2024-2471.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-qr8r-m495-7hc4 #2471)
  • data/reports/GO-2024-2951.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hg58-rf2h-6rr7 #2951)
  • data/reports/GO-2024-3112.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft/light: GHSA-g5xx-c4hv-9ccc #3112)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cometbft/cometbft
      versions:
        - introduced: 0.38.0
        - fixed: 0.38.15
      vulnerable_at: 0.38.14
summary: 'CometBFT Vote Extensions: Panic when receiving a Pre-commit with an invalid data in github.com/cometbft/cometbft'
ghsas:
    - GHSA-p7mv-53f2-4cwj
references:
    - advisory: https://github.com/advisories/GHSA-p7mv-53f2-4cwj
    - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj
    - web: https://docs.cometbft.com/v0.38/spec/abci/abci++_basic_concepts
    - web: https://github.com/cometbft/cometbft/releases/tag/v0.38.15
source:
    id: GHSA-p7mv-53f2-4cwj
    created: 2024-11-06T16:01:33.37723525Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/626158 mentions this issue: data/reports: add 4 NEEDS_REVIEW reports