data/reports: add GO-2024-2638.yaml
Aliases: GHSA-95rx-m9m5-m94v
Fixes golang/vulndb#2638
Change-Id: I8e85f92e3911373f467011ddf030da5dd2e40e6c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/584757
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2024-2638.json b/data/osv/GO-2024-2638.json
new file mode 100644
index 0000000..f76c9fa
--- /dev/null
+++ b/data/osv/GO-2024-2638.json
@@ -0,0 +1,59 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2638",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-95rx-m9m5-m94v"
+ ],
+ "summary": "ValidateVoteExtensions function in Cosmos SDK may allow incorrect voting power assumptions in github.com/cosmos/cosmos-sdk",
+ "details": "The default ValidateVoteExtensions helper function infers total voting power based on the injected VoteExtension, which are injected by the proposer.\n\nIf your chain utilizes the ValidateVoteExtensions helper in ProcessProposal, a dishonest proposer can potentially mutate voting power of each validator it includes in the injected VoteExtension, which could have potentially unexpected or negative consequences on modified state. Additional validation on injected VoteExtension data was added to confirm voting power against the state machine.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/cosmos/cosmos-sdk",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.50.0"
+ },
+ {
+ "fixed": "0.50.5"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/cosmos/cosmos-sdk/baseapp",
+ "symbols": [
+ "ValidateVoteExtensions"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-95rx-m9m5-m94v"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/cosmos/cosmos-sdk/commit/4467110df40797ebe916c23ebfd45c9ee7583897"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.5"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2638"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2638.yaml b/data/reports/GO-2024-2638.yaml
new file mode 100644
index 0000000..db17163
--- /dev/null
+++ b/data/reports/GO-2024-2638.yaml
@@ -0,0 +1,32 @@
+id: GO-2024-2638
+modules:
+ - module: github.com/cosmos/cosmos-sdk
+ versions:
+ - introduced: 0.50.0
+ fixed: 0.50.5
+ vulnerable_at: 0.50.4
+ packages:
+ - package: github.com/cosmos/cosmos-sdk/baseapp
+ symbols:
+ - ValidateVoteExtensions
+summary: |-
+ ValidateVoteExtensions function in Cosmos SDK may allow incorrect voting
+ power assumptions in github.com/cosmos/cosmos-sdk
+description: |-
+ The default ValidateVoteExtensions helper function infers total voting power
+ based on the injected VoteExtension, which are injected by the proposer.
+
+ If your chain utilizes the ValidateVoteExtensions helper in ProcessProposal, a
+ dishonest proposer can potentially mutate voting power of each validator it
+ includes in the injected VoteExtension, which could have potentially unexpected
+ or negative consequences on modified state. Additional validation on injected
+ VoteExtension data was added to confirm voting power against the state machine.
+ghsas:
+ - GHSA-95rx-m9m5-m94v
+references:
+ - advisory: https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-95rx-m9m5-m94v
+ - fix: https://github.com/cosmos/cosmos-sdk/commit/4467110df40797ebe916c23ebfd45c9ee7583897
+ - web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.5
+source:
+ id: GHSA-95rx-m9m5-m94v
+ created: 2024-05-10T15:59:33.780326-04:00
