GHSA-r9rv-9mh8-pxf4 – ckb

Package

Manager: cargo
Name: ckb
Vulnerable Version: >=0 <0.33.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Nervos CKB BlockTimeTooNew should not be considered as invalid block ### Impact Currently, when a node receives a block in future according to its local wall clock, it will mark the block as invalid and ban the peer. If the header's timestamp is more than 15 seconds ahead of our current time. In that case, the header may become valid in the future, and we don't want to disconnect a peer merely for serving us one too-far-ahead block header, to prevent an attacker from splitting the network by mining a block right at the 15 seconds boundary. ### Patches Upgrade to v0.33.1 or above. ### Workarounds Don't ban peer serving too-far-ahead block header.

Metadata

Created: 2024-02-02T22:23:07Z
Modified: 2024-02-02T22:23:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-r9rv-9mh8-pxf4/GHSA-r9rv-9mh8-pxf4.json
CWE IDs: []
Alternative ID: N/A
Finding: F002
Auto approve: 1