CVE-2022-23507 – tendermint-light-client-verifier

Package

Manager: cargo
Name: tendermint-light-client-verifier
Vulnerable Version: >=0 <0.28.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00117 pctl0.31249

Details

Tendermint light client verification not taking into account chain ID ### Impact Anyone using the `tendermint-light-client` and related packages to perform light client verification (e.g. IBC-rs, Hermes). At present, the light client does not check that the chain IDs of the trusted and untrusted headers match, resulting in a possible attack vector where someone who finds a header from an untrusted chain that satisfies all other verification conditions (e.g. enough overlapping validator signatures) could fool a light client. The attack vector is currently theoretical, and no proof-of-concept exists yet to exploit it on live networks. ### Patches Users of the light client-related crates can currently upgrade to `v0.28.0`. ### Workarounds None ### References - [Light Client specification](https://github.com/tendermint/tendermint/tree/main/spec/light-client)

Metadata

Created: 2022-12-14T21:35:24Z
Modified: 2022-12-14T21:35:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-xqqc-c5gw-c5r5/GHSA-xqqc-c5gw-c5r5.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-xqqc-c5gw-c5r5
Finding: F204
Auto approve: 1