| modules: |
| - module: github.com/tendermint/tendermint |
| versions: |
| - fixed: 0.31.1 |
| packages: |
| - package: github.com/tendermint/tendermint/rpc/client |
| symbols: |
| - makeHTTPClient |
| description: | |
| Due to support of Gzip compression in request bodies, as well |
| as a lack of limiting response body sizes, a malicious server |
| can cause a client to consume a significant amount of system |
| resources, which may be used as a denial of service vector. |
| published: 2021-04-14T20:04:52Z |
| credit: '@guagualvcha' |
| references: |
| - fix: https://github.com/tendermint/tendermint/pull/3430 |
| - fix: https://github.com/tendermint/tendermint/commit/03085c2da23b179c4a51f59a03cb40aa4e85a613 |
| cve_metadata: |
| id: CVE-2019-25072 |
| cwe: 'CWE-400: Uncontrolled Resource Consumption' |