blob: 6b31af2efba8955c4dd27b9f7bd0bc78cfecaec0 [file] [log] [blame]
id: GO-2020-0037
modules:
- module: github.com/tendermint/tendermint
versions:
- fixed: 0.31.1
vulnerable_at: 0.31.0
packages:
- package: github.com/tendermint/tendermint/rpc/lib/client
symbols:
- makeHTTPClient
derived_symbols:
- NewJSONRPCClient
- NewURIClient
summary: Uncontrolled resource consumption in github.com/tendermint/tendermint
description: |-
Due to support of Gzip compression in request bodies, as well as a lack of
limiting response body sizes, a malicious server can cause a client to consume a
significant amount of system resources, which may be used as a denial of service
vector.
published: 2021-04-14T20:04:52Z
ghsas:
- GHSA-3fm3-m23v-5r46
credits:
- '@guagualvcha'
references:
- fix: https://github.com/tendermint/tendermint/pull/3430
- fix: https://github.com/tendermint/tendermint/commit/03085c2da23b179c4a51f59a03cb40aa4e85a613
cve_metadata:
id: CVE-2019-25072
cwe: 'CWE-400: Uncontrolled Resource Consumption'
review_status: REVIEWED