CVE-2020-15091
- Source
- https://cve.org/CVERecord?id=CVE-2020-15091
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15091.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-15091
- Aliases
- Related
- Published
- 2020-07-02T17:15:12.547Z
- Modified
- 2026-02-23T08:21:56.864231Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (without changing chainID). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit.
- References
-
- https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340
- https://github.com/tendermint/tendermint/issues/4926
- https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3
- https://github.com/tendermint/tendermint/issues/4926
- https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340
- https://github.com/tendermint/tendermint/issues/4926
- https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3