SCA: security update for github.com/cosmos/cosmos-sdk (GHSA-2p6r-37p9-89p2)

medium Tenable Cloud Security Plugin ID 409007

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The Cosmos-SDK is a framework for building blockchain applications in Golang. Affected versions of the SDK
were vulnerable to a consensus halt due to non-deterministic behaviour in a ValidateBasic method in the
x/authz module. The MsgGrant of the x/authz module contains a Grant field which includes a user-defined
expiration time for when the authorization grant expires. In Grant.ValidateBasic(), that time is compared
to the node’s local clock time. Any chain running an affected version of the SDK with the authz module
enabled could be halted by anyone with the ability to send transactions on that chain. Recovery would
require applying the patch and rolling back the latest block. Users are advised to update to version
0.44.2. (CVE-2021-41135)

See Also

https://github.com/advisories/GHSA-2p6r-37p9-89p2

Plugin Details

Severity: Medium

ID: 409007

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 8/7/2025

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS Score Source: CVE-2021-41135

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/21/2021

Vulnerability Publication Date: 10/20/2021

Reference Information

CVE: CVE-2021-41135

cwe: CWE-754