{"url":"http://public2.vulnerablecode.io/api/packages/377421?format=json","purl":"pkg:golang/github.com/cosmos/cosmos-sdk@0.50.12","type":"golang","namespace":"github.com/cosmos","name":"cosmos-sdk","version":"0.50.12","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"0.50.13","latest_non_vulnerable_version":"0.53.3","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360614?format=json","vulnerability_id":"VCID-ps5m-mqcm-tbgw","summary":"Cosmos SDK: Groups module can halt chain when handling a malicious proposal\nName: ASA-2025-003: Groups module can halt chain when handling a malicious proposal\nComponent: CosmosSDK\nCriticality: High (Considerable Impact; Likely Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: <= v0.47.15, <= 0.50.11\nAffected users: Validators, Full nodes, Users on chains that utilize the groups module\n\n### Description\n\nAn issue was discovered in the groups module where a malicious proposal would result in a division by zero, and subsequently halt a chain due to the resulting error. Any user that can interact with the groups module can introduce this state.\n\n### Patches\n\nThe new Cosmos SDK release [v0.50.12](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12) and [v0.47.16](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.16) fix this issue.\n\n### Workarounds\n\nThere are no known workarounds for this issue.  It is advised that chains apply the update.\n\n### Timeline\n\n* February 9, 2025, 5:18pm PST: Issue reported to the Cosmos Bug Bounty program\n* February 9, 2025, 8:12am PST: Issue triaged by Amulet on-call, and distributed to Core team\n* February 9, 2025, 12:25pm PST: Core team completes validation of issue\n* February 18, 2025, 8:00am PST / 17:00 CET: Pre-notification delivered\n* February 20, 2025, 8:00am PST / 17:00 CET: Patch made available\n\nThis issue was reported to the Cosmos Bug Bounty Program by [dongsam](https://github.com/dongsam) on HackerOne on February 9, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io). For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.  \n\nA Github Security Advisory for this issue is available in the Cosmos SDK [repository](https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p).","references":[{"reference_url":"https://github.com/cosmos/cosmos-sdk","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cosmos/cosmos-sdk"},{"reference_url":"https://github.com/cosmos/cosmos-sdk/commit/0a98b65b24900a0e608866c78f172cf8e4140aea","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cosmos/cosmos-sdk/commit/0a98b65b24900a0e608866c78f172cf8e4140aea"},{"reference_url":"https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.16","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.16"},{"reference_url":"https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12"},{"reference_url":"https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377420?format=json","purl":"pkg:golang/github.com/cosmos/cosmos-sdk@0.47.16-ics-lsm","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/cosmos/cosmos-sdk@0.47.16-ics-lsm"},{"url":"http://public2.vulnerablecode.io/api/packages/377421?format=json","purl":"pkg:golang/github.com/cosmos/cosmos-sdk@0.50.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/cosmos/cosmos-sdk@0.50.12"}],"aliases":["GHSA-x5vx-95h7-rv4p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ps5m-mqcm-tbgw"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/cosmos/cosmos-sdk@0.50.12"}