logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-8qxh-2gh8-r923 github.com/cheqd/cheqd-node

Package

Manager: go
Name: github.com/cheqd/cheqd-node
Vulnerable Version: >=0 <1.4.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

cheqd-node subject to Cosmos SDK "Barberry" vulnerability ### Impact This [vulnerability dubbed "Barberry" affects the Cosmos SDK framework](https://forum.cosmos.network/t/cosmos-sdk-security-advisory-barberry/10825) used by `cheqd-node` as base. It impacts the way Cosmos SDK handles vesting accounts, and can therefore be a high-impact vulnerability for any network running the framework. There is no vulnerability in the DID/resource modules for `cheqd-node`. ### Patches Node operators are requested to upgrade to [cheqd-node v1.4.4](https://github.com/cheqd/cheqd-node/releases/tag/v1.4.4). This is not a state-breaking release and does not require a coordinated upgrade across all node operators. This vulnerability was patched in [Cosmos SDK v0.46.13](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.13). Since this version switches to Go v1.19 and also changes the namespace of many Cosmos protobuf packages, the Barberry fix was [backported to cheqd's fork of Cosmos SDK](https://github.com/cheqd/cosmos-sdk/releases/tag/v0.46.10-barberry). ### Mitigation When at least ~**33**% of the voting power of the network has deployed the recommended version of the software, any attack would be unsuccessful but cause a chain halt. Once at least ~**67**% of the voting power of the network has deployed recommended version of the software, the attack would be unsuccessful _without_ a chain halt. ### Workarounds No. Node operators are recommended to upgrade to the latest release version. ### References - ["Barberry" vulnerability security advisory](https://forum.cosmos.network/t/cosmos-sdk-security-advisory-barberry/10825) - [Cosmos SDK v0.46.13 release notes](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.13)

Metadata

Created: 2023-06-12T18:34:26Z
Modified: 2023-06-12T18:34:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-8qxh-2gh8-r923/GHSA-8qxh-2gh8-r923.json
CWE IDs: []
Alternative ID: N/A
Finding: F039
Auto approve: 1