Uncontrolled resource consumption in github.com/tendermint/tendermint
CVE-2019-25072

7.5HIGH

Key Information:

Vendor: Github.com/tendermint/tendermint
Status: Github.com/tendermint/tendermint/rpc/lib/client
Vendor: CVE Published:; 27 December 2022

🔔 Create Github.com/tendermint/tendermint Vulnerability Alert

What is CVE-2019-25072?

Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector.

Affected Version(s)

github.com/tendermint/tendermint/rpc/lib/client 0 < 0.31.1

References

https://github.com/tendermint/tendermint/pull/3430

https://github.com/tendermint/tendermint/commit/03085c2da...

https://pkg.go.dev/vuln/GO-2020-0037

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 27, 2022
Vulnerability Reserved
Jul 29, 2022

Credit

@guagualvcha