data/reports/GO-2021-0090.yaml - vulndb - Git at Google

 modules:
   - module: github.com/tendermint/tendermint
     versions:
       - introduced: 0.33.0
         fixed: 0.34.0-dev1.0.20200702134149-480b995a3172
     vulnerable_at: 0.33.0
     packages:
       - package: github.com/tendermint/tendermint/types
         symbols:
           - VoteSet.MakeCommit
         derived_symbols:
           - MakeCommit
 summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
 description: |
     Proposed commits may contain signatures for blocks not contained
     within the commit. Instead of skipping these signatures, they
     cause failure during verification. A malicious proposer can use
     this to force consensus failures.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2020-15091
 ghsas:
   - GHSA-6jqj-f58p-mrw3
 credits:
   - Neeraj Murarka
 references:
   - fix: https://github.com/tendermint/tendermint/pull/5426
   - fix: https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340
   - web: https://github.com/tendermint/tendermint/issues/4926
	modules:
	- module: github.com/tendermint/tendermint
	versions:
	- introduced: 0.33.0
	fixed: 0.34.0-dev1.0.20200702134149-480b995a3172
	vulnerable_at: 0.33.0
	packages:
	- package: github.com/tendermint/tendermint/types
	symbols:
	- VoteSet.MakeCommit
	derived_symbols:
	- MakeCommit
	summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
	description: \|
	Proposed commits may contain signatures for blocks not contained
	within the commit. Instead of skipping these signatures, they
	cause failure during verification. A malicious proposer can use
	this to force consensus failures.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2020-15091
	ghsas:
	- GHSA-6jqj-f58p-mrw3
	credits:
	- Neeraj Murarka
	references:
	- fix: https://github.com/tendermint/tendermint/pull/5426
	- fix: https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340
	- web: https://github.com/tendermint/tendermint/issues/4926