blob: 47de9b26a27f3e7b186b9a315c4b3481f5cb424c [file] [log] [blame]
id: GO-2023-1883
modules:
- module: github.com/cometbft/cometbft
versions:
- fixed: 0.37.2
vulnerable_at: 0.37.1
packages:
- package: github.com/cometbft/cometbft/mempool/v0
symbols:
- CListMempool.resCbFirstTime
derived_symbols:
- CListMempool.CheckTx
- Reactor.ReceiveEnvelope
summary: Denial of service via OOM in github.com/cometbft/cometbft
description: |-
A bug in the CometBFT middleware causes the mempool's two data structures to
fall out of sync. This can lead to duplicate transactions that cannot be
removed, even after they are committed in a block. The only way to remove
the transaction is to restart the node. This can be exploited by an attacker
to bring down a node by repeatedly submitting duplicate transactions.
cves:
- CVE-2023-34451
ghsas:
- GHSA-w24w-wp77-qffm
references:
- advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-w24w-wp77-qffm
- fix: https://github.com/cometbft/cometbft/pull/890
- fix: https://github.com/tendermint/tendermint/pull/2778
notes:
- The advisory refers to versions beginning 0.34. The module at those versions requires a replace directive to be usable. There is a fix in 0.34.28.