GHSA-p7mv-53f2-4cwj: CometBFT Vote Extensions: Panic when receiving a Pre-commit with an invalid data

November 6, 2024 (updated November 20, 2024)

Name: ASA-2024-011: Vote Extensions: Panic when receiving a Pre-commit with an invalid data Component: CometBFT Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2) Affected versions: >= 0.38.x, unreleased v1.x and main development branches Affected users: Chain Builders + Maintainers, Validators

References

docs.cometbft.com/v0.38/spec/abci/abci++_basic_concepts
github.com/advisories/GHSA-p7mv-53f2-4cwj
github.com/cometbft/cometbft
github.com/cometbft/cometbft/releases/tag/v0.38.15
github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj
pkg.go.dev/vuln/GO-2024-3259

Code Behaviors & Features

Detect and mitigate GHSA-p7mv-53f2-4cwj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →