Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04cXhoLTJnaDgtcjkyM84AAzyT
cheqd-node subject to Cosmos SDK "Barberry" vulnerability
Impact
This vulnerability dubbed "Barberry" affects the Cosmos SDK framework used by cheqd-node
as base.
It impacts the way Cosmos SDK handles vesting accounts, and can therefore be a high-impact vulnerability for any network running the framework.
There is no vulnerability in the DID/resource modules for cheqd-node
.
Patches
Node operators are requested to upgrade to cheqd-node v1.4.4. This is not a state-breaking release and does not require a coordinated upgrade across all node operators.
This vulnerability was patched in Cosmos SDK v0.46.13. Since this version switches to Go v1.19 and also changes the namespace of many Cosmos protobuf packages, the Barberry fix was backported to cheqd's fork of Cosmos SDK.
Mitigation
When at least ~33% of the voting power of the network has deployed the recommended version of the software, any attack would be unsuccessful but cause a chain halt.
Once at least ~67% of the voting power of the network has deployed recommended version of the software, the attack would be unsuccessful without a chain halt.
Workarounds
No. Node operators are recommended to upgrade to the latest release version.
References Permalink: https://github.com/advisories/GHSA-8qxh-2gh8-r923
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cXhoLTJnaDgtcjkyM84AAzyT
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 11 months ago
Identifiers: GHSA-8qxh-2gh8-r923
References:
- https://github.com/cheqd/cheqd-node/security/advisories/GHSA-8qxh-2gh8-r923
- https://forum.cosmos.network/t/cosmos-sdk-security-advisory-barberry/10825
- https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.13
- https://github.com/advisories/GHSA-8qxh-2gh8-r923
Blast Radius: 0.0
Affected Packages
go:github.com/cheqd/cheqd-node
Dependent packages: 1Dependent repositories: 2
Downloads:
Affected Version Ranges: < 1.4.4
Fixed in: 1.4.4
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.19, 0.1.20, 0.1.21, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.10, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3
All unaffected versions: 1.4.4, 1.4.5