Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qOTJjLW1tZjctajV4Nc4AAvaR
Potential inter-blockchain communication (IBC) protocol compromise via "Dragonberry" vulnerability in cheqd
Impact
This vulnerability affects IBC transfers due to a security vulnerability dubbed "Dragonberry" upstream in Cosmos SDK. The vulnerability could allow malicious attackers to compromise chain-to-chain IBC transfers.
There is no vulnerability in the DID/resource modules for cheqd-node.
Patches
Node operators are requested to upgrade to cheqd-node v0.6.9 as soon as possible. Installation instructions are in the release notes. Please do not install any beta/pre-release versions.
Workarounds
No. The patch takes effect when more than 2/3rds of the voting power of the cheqd network has upgraded to this patch.
An emergency hotfix was released previously under v0.6.8 but this is now deprecated since Cosmos SDK v0.45.9 officially fixes this upstream.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in cheqd-node repo
- Email us at [email protected]
- Message us on our community Slack or Discord
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qOTJjLW1tZjctajV4Nc4AAvaR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
Identifiers: GHSA-j92c-mmf7-j5x5
References:
- https://github.com/cheqd/cheqd-node/security/advisories/GHSA-j92c-mmf7-j5x5
- https://forum.cosmos.network/t/ibc-security-advisory-dragonberry/7702/1
- https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.9
- https://github.com/advisories/GHSA-j92c-mmf7-j5x5
Blast Radius: 0.0
Affected Packages
go:github.com/cheqd/cheqd-node
Dependent packages: 1Dependent repositories: 2
Downloads:
Affected Version Ranges: < 0.6.9
Fixed in: 0.6.9
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.19, 0.1.20, 0.1.21, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8
All unaffected versions: 0.6.9, 0.6.10, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5