| id: GO-2023-1860 |
| modules: |
| - module: github.com/cosmos/ibc-go/v7 |
| versions: |
| - fixed: 7.0.1 |
| vulnerable_at: 7.0.0 |
| packages: |
| - package: github.com/cosmos/ibc-go/v7/modules/core/04-channel/keeper |
| symbols: |
| - Keeper.UnreceivedPackets |
| - package: github.com/cosmos/ibc-go/v7/modules/core/keeper |
| symbols: |
| - Keeper.RecvPacket |
| derived_symbols: |
| - Keeper.UnreceivedPackets |
| - module: github.com/cosmos/ibc-go/v6 |
| versions: |
| - fixed: 6.1.1 |
| vulnerable_at: 6.1.0 |
| packages: |
| - package: github.com/cosmos/ibc-go/v6/modules/core/04-channel/keeper |
| symbols: |
| - Keeper.UnreceivedPackets |
| skip_fix: v6.1.0 does not build without replace directives |
| - package: github.com/cosmos/ibc-go/v6/modules/core/keeper |
| symbols: |
| - Keeper.RecvPacket |
| skip_fix: v6.1.0 does not build without replace directives |
| - module: github.com/cosmos/ibc-go/v5 |
| versions: |
| - fixed: 5.2.1 |
| - introduced: 5.3.0 |
| - fixed: 5.3.1 |
| vulnerable_at: 5.3.0 |
| packages: |
| - package: github.com/cosmos/ibc-go/v5/modules/core/04-channel/keeper |
| symbols: |
| - Keeper.UnreceivedPackets |
| skip_fix: v5.3.0 does not build without replace directives |
| - package: github.com/cosmos/ibc-go/v5/modules/core/keeper |
| symbols: |
| - Keeper.RecvPacket |
| skip_fix: v5.3.0 does not build without replace directives |
| - module: github.com/cosmos/ibc-go/v4 |
| versions: |
| - fixed: 4.1.3 |
| - introduced: 4.2.0 |
| - fixed: 4.2.2 |
| - introduced: 4.3.0 |
| - fixed: 4.3.1 |
| - introduced: 4.4.0 |
| - fixed: 4.4.1 |
| vulnerable_at: 4.1.2 |
| packages: |
| - package: github.com/cosmos/ibc-go/v4/modules/core/04-channel/keeper |
| symbols: |
| - Keeper.UnreceivedPackets |
| skip_fix: v4.1.2 does not build without replace directives |
| - package: github.com/cosmos/ibc-go/v4/modules/core/keeper |
| symbols: |
| - Keeper.RecvPacket |
| skip_fix: v4.1.2 does not build without replace directives |
| summary: IBC protocol "Huckleberry" vulnerability in github.com/cosmos/ibc-go |
| description: |- |
| The ibc-go module is affected by the Inter-Blockchain Communication (IBC) |
| protocol "Huckleberry" vulnerability. |
| references: |
| - advisory: https://forum.cosmos.network/t/ibc-security-advisory-huckleberry/10731 |
| review_status: REVIEWED |