blob: 4ffcebc2facf338ecbcd6b2c2b08d25ef84daf9b [file] [log] [blame]
id: GO-2023-1882
modules:
- module: github.com/cometbft/cometbft
versions:
- introduced: 0.37.1
- fixed: 0.37.2
vulnerable_at: 0.37.1
packages:
- package: github.com/cometbft/cometbft/consensus
symbols:
- PeerState.MarshalJSON
summary: Deadlock in github.com/cometbft/cometbft/consensus
description: |-
An internal modification to the way PeerState is serialized to JSON introduced a
deadlock when the new function MarshalJSON is called.
This function can be called in two ways. The first is via logs, by setting the
consensus logging module to "debug" level (which should not happen in
production), and setting the log output format to JSON. The second is via RPC
dump_consensus_state.
cves:
- CVE-2023-34450
ghsas:
- GHSA-mvj3-qrqh-cjvr
references:
- advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-mvj3-qrqh-cjvr
- fix: https://github.com/cometbft/cometbft/pull/524
- fix: https://github.com/cometbft/cometbft/pull/863
- fix: https://github.com/cometbft/cometbft/pull/865
review_status: REVIEWED