Vulnerability Report: GO-2023-1882

CVE-2023-34450, GHSA-mvj3-qrqh-cjvr
Affects: github.com/cometbft/cometbft
Published: Jul 06, 2023
Modified: May 20, 2024

An internal modification to the way PeerState is serialized to JSON introduced a deadlock when the new function MarshalJSON is called. This function can be called in two ways. The first is via logs, by setting the consensus logging module to "debug" level (which should not happen in production), and setting the log output format to JSON. The second is via RPC dump_consensus_state.

For detailed information about this vulnerability, visit https://github.com/cometbft/cometbft/security/advisories/GHSA-mvj3-qrqh-cjvr.

Affected Packages

Path

Go Versions

Symbols
github.com/cometbft/cometbft/consensus

from v0.37.1 before v0.37.2
- PeerState.MarshalJSON

Aliases

CVE-2023-34450
GHSA-mvj3-qrqh-cjvr

References

https://github.com/cometbft/cometbft/security/advisories/GHSA-mvj3-qrqh-cjvr
https://github.com/cometbft/cometbft/pull/524
https://github.com/cometbft/cometbft/pull/863
https://github.com/cometbft/cometbft/pull/865
https://vuln.go.dev/ID/GO-2023-1882.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL