GHSA-rg2q-2jh9-447q – cosmwasm-vm

Package

Manager: cargo
Name: cosmwasm-vm
Vulnerable Version: >=0 <1.5.6 || >=2.0.0 <2.0.5 || >=2.1.0 <2.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Gas mispricing in cosmwasm-vm **Component:** wasmvm **Criticality:** Medium ([ACMv1](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md): I:Moderate; L:Likely) **Patched versions:** wasmvm 1.5.4, 2.0.3, 2.1.2 Some Wasm operations take significantly more gas than our benchmarks indicated. This can lead to missing the [gas target](https://github.com/CosmWasm/cosmwasm/blob/e50490c4199a234200a497219b27f071c3409f58/docs/GAS.md#cosmwasm-gas-pricing) we defined by a factor of ~10x. This means a malicious contract could take 10 times as much time to execute as expected, which can be used to temporarily DoS a chain. See [CWA-2024-004](https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-004.md) for more details.

Metadata

Created: 2024-08-08T16:30:50Z
Modified: 2024-08-08T17:03:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-rg2q-2jh9-447q/GHSA-rg2q-2jh9-447q.json
CWE IDs: ["CWE-920"]
Alternative ID: N/A
Finding: F067
Auto approve: 1