Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Light client verification not taking into account chain ID
Vulnerability Description
Tendermint is a high-performance blockchain consensus engine for Byzantine fault tolerant applications. Versions prior to 0.28.0 contain a potential attack via Improper Verification of Cryptographic Signature, affecting anyone using the tendermint-light-client and related packages to perform light client verification (e.g. IBC-rs, Hermes). The light client does not check that the chain IDs of the trusted and untrusted headers match, resulting in a possible attack vector where someone who finds a header from an untrusted chain that satisfies all other verification conditions (e.g. enough overlapping validator signatures) could fool a light client. The attack vector is currently theoretical, and no proof-of-concept exists yet to exploit it on live networks. This issue is patched in version 0.28.0. There are no workarounds.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Vulnerability Type
密码学签名的验证不恰当
Vulnerability Title
Tendermint 数据伪造问题漏洞
Vulnerability Description
Tendermint是美国Tendermint公司的一款Byzantine Fault Tolerant (BFT) 式中间件。 Tendermint 0.28.0之前版本存在数据伪造问题漏洞,该漏洞源于包含通过不正确的加密签名验证进行的潜在攻击,影响任何使用 tendermint-light-client 和相关软件包执行轻客户端验证的人,攻击者利用该漏洞可以欺骗轻客户端。
CVSS Information
N/A
Vulnerability Type
N/A