Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qMmNyLWpjMzktd3B4Nc4AA0fr
Barberry Security Advisory - regarding x/auth periodic vesting accounts
Impact
In PeriodicVestingAccount, defined in x/auth, an attacker can initialize a victim's account as a malicious vesting account, which allows deposits but does not allow withdrawals. When the user then deposits funds into their account, those funds are locked forever, and the user is not able to withdraw them.
Patches
>= v0.46.13 for Cosmos SDK v0.46.x
>= v0.47.3 for Cosmos SDK v0.47.x
If a network backported periodic vesting accounts to earlier versions of the SDK, those networks are affected too.
Workarounds
There is no workaround for this issue. Upgrade immediately.
References
- Patched versions release notes: v0.47.3, v0.46.13.
- Forum Post
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qMmNyLWpjMzktd3B4Nc4AA0fr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 10 months ago
Identifiers: GHSA-j2cr-jc39-wpx5
References:
- https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-j2cr-jc39-wpx5
- https://forum.cosmos.network/t/cosmos-sdk-security-advisory-barberry/10825
- https://github.com/cosmos/cosmos-sdk/blob/cfc757dc5043fb2758c47c146d2912fd010c1a45/RELEASE_NOTES.md#cosmos-sdk-v0473-release-notes
- https://github.com/cosmos/cosmos-sdk/blob/d4b7164de5d8391e6aa644d8ea84e07396dd9653/RELEASE_NOTES.md#cosmos-sdk-v04613-release-notes
- https://github.com/cosmos/cosmos-sdk/pull/16466
- https://github.com/advisories/GHSA-j2cr-jc39-wpx5
Blast Radius: 0.0
Affected Packages
go:github.com/cosmos/cosmos-sdk
Dependent packages: 3,776Dependent repositories: 2,329
Downloads:
Affected Version Ranges: >= 0.47.0, <= 0.47.2, >= 0.46.0, <= 0.46.12
Fixed in: 0.47.3, 0.46.13
All affected versions: 0.46.0, 0.46.1, 0.46.2, 0.46.3, 0.46.4, 0.46.5, 0.46.6, 0.46.7, 0.46.8, 0.46.9, 0.46.10, 0.46.11, 0.46.12, 0.47.0, 0.47.1, 0.47.2
All unaffected versions: 0.0.2, 0.0.3, 0.0.4, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.16.0, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.21.1, 0.22.0, 0.23.0, 0.23.1, 0.24.0, 0.24.1, 0.24.2, 0.25.0, 0.26.0, 0.27.0, 0.27.1, 0.28.0, 0.28.1, 0.29.0, 0.29.1, 0.30.0, 0.31.0, 0.31.1, 0.31.2, 0.32.0, 0.33.0, 0.33.1, 0.33.2, 0.34.0, 0.34.1, 0.34.2, 0.34.3, 0.34.4, 0.34.5, 0.34.6, 0.34.7, 0.34.8, 0.34.9, 0.34.10, 0.35.0, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.37.3, 0.37.4, 0.37.5, 0.37.6, 0.37.7, 0.37.8, 0.37.9, 0.37.10, 0.37.11, 0.37.12, 0.37.13, 0.37.14, 0.37.15, 0.38.0, 0.38.1, 0.38.2, 0.38.3, 0.38.4, 0.38.5, 0.39.0, 0.39.1, 0.39.2, 0.39.3, 0.40.0, 0.40.1, 0.41.0, 0.41.1, 0.41.2, 0.41.3, 0.41.4, 0.42.0, 0.42.1, 0.42.2, 0.42.3, 0.42.4, 0.42.5, 0.42.6, 0.42.7, 0.42.8, 0.42.9, 0.42.10, 0.42.11, 0.43.0, 0.44.0, 0.44.1, 0.44.2, 0.44.3, 0.44.4, 0.44.5, 0.44.6, 0.44.7, 0.44.8, 0.45.0, 0.45.1, 0.45.2, 0.45.3, 0.45.4, 0.45.5, 0.45.6, 0.45.7, 0.45.8, 0.45.9, 0.45.10, 0.45.11, 0.45.12, 0.45.13, 0.45.14, 0.45.15, 0.45.16, 0.46.13, 0.46.14, 0.46.15, 0.46.16, 0.47.3, 0.47.4, 0.47.5, 0.47.6, 0.47.7, 0.47.8, 0.50.0, 0.50.1, 0.50.2, 0.50.3