GHSA-j2cr-jc39-wpx5

Source

https://github.com/advisories/GHSA-j2cr-jc39-wpx5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-j2cr-jc39-wpx5/GHSA-j2cr-jc39-wpx5.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-j2cr-jc39-wpx5

Aliases

Published

2023-07-07T18:34:27Z

Modified

2023-11-01T05:09:33.770524Z

Summary

Barberry Security Advisory - regarding x/auth periodic vesting accounts

Details

Impact

In PeriodicVestingAccount, defined in x/auth, an attacker can initialize a victim's account as a malicious vesting account, which allows deposits but does not allow withdrawals. When the user then deposits funds into their account, those funds are locked forever, and the user is not able to withdraw them.

Patches

>= v0.46.13 for Cosmos SDK v0.46.x >= v0.47.3 for Cosmos SDK v0.47.x

If a network backported periodic vesting accounts to earlier versions of the SDK, those networks are affected too.

Workarounds

There is no workaround for this issue. Upgrade immediately.

References

Patched versions release notes: v0.47.3, v0.46.13.
Forum Post

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-07T18:34:27Z"
}

References

Affected packages

Go / github.com/cosmos/cosmos-sdk

Package

Name: github.com/cosmos/cosmos-sdk; View open source insights on deps.dev
Purl: pkg:golang/github.com/cosmos/cosmos-sdk

Affected ranges

Type: SEMVER
Events: Introduced

0.46.0

Fixed

0.46.13

Database specific

{
    "last_known_affected_version_range": "<= 0.46.12"
}

Go / github.com/cosmos/cosmos-sdk

Package

Name: github.com/cosmos/cosmos-sdk; View open source insights on deps.dev
Purl: pkg:golang/github.com/cosmos/cosmos-sdk

Affected ranges

Type: SEMVER
Events: Introduced

0.47.0

Fixed

0.47.3

Database specific

{
    "last_known_affected_version_range": "<= 0.47.2"
}