CVE-2023-34450
MEDIUM5.3EPSS 0.06%Deadlock in github.com/cometbft/cometbft/consensus
Published: 7/5/2023Modified: 5/20/2024
Description
An internal modification to the way PeerState is serialized to JSON introduced a deadlock when the new function MarshalJSON is called. This function can be called in two ways. The first is via logs, by setting the consensus logging module to "debug" level (which should not happen in production), and setting the log output format to JSON. The second is via RPC dump_consensus_state.
Affected packages (2)
- Go/github.com/cometbft/cometbft>= 0.34.28, < 0.34.29
- Go/github.com/cometbft/cometbft>= 0.37.1, < 0.37.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-34450
- PATCHhttps://github.com/cometbft/cometbft
- WEBhttps://github.com/cometbft/cometbft/pull/524
- WEBhttps://github.com/cometbft/cometbft/pull/863
- WEBhttps://github.com/cometbft/cometbft/pull/865
- WEBhttps://github.com/cometbft/cometbft/security/advisories/GHSA-mvj3-qrqh-cjvr