GHSA-m3rh-cvr5-x6q4: CosmWasm wasmd has large address count in ValidateBasic

August 8, 2024 (updated November 18, 2024)

Component: wasmd Criticality: Low (ACMv1: I:Moderate; L:Unlikely) Patched versions: wasmd 0.52.0

In multiple wasmd message types it was possible to add a large number of addresses which might lead to unexpected resource consumption in ValidateBasic.

See CWA-2024-003 for more details.

References

github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-003.md
github.com/CosmWasm/wasmd
github.com/CosmWasm/wasmd/commit/76c0c061c9cb6b142163883e46c26d99384dc443
github.com/CosmWasm/wasmd/security/advisories/GHSA-m3rh-cvr5-x6q4
github.com/advisories/GHSA-m3rh-cvr5-x6q4

Code Behaviors & Features

Detect and mitigate GHSA-m3rh-cvr5-x6q4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →