CVE-2020-15091: Improper Verification of Cryptographic Signature

December 20, 2021

TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (without changing chainID). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit.

References

github.com/advisories/GHSA-6jqj-f58p-mrw3
github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340
github.com/tendermint/tendermint/issues/4926
github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3
nvd.nist.gov/vuln/detail/CVE-2020-15091

Detect and mitigate CVE-2020-15091 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →