CVE-2021-41135
MEDIUMCosmos-SDK 0.43.0-0.44.2 - Consensus Halt via Non-Deterministic Grant Expiration Validation
Title source: llmDescription
The Cosmos-SDK is a framework for building blockchain applications in Golang. Affected versions of the SDK were vulnerable to a consensus halt due to non-deterministic behaviour in a ValidateBasic method in the x/authz module. The MsgGrant of the x/authz module contains a Grant field which includes a user-defined expiration time for when the authorization grant expires. In Grant.ValidateBasic(), that time is compared to the node’s local clock time. Any chain running an affected version of the SDK with the authz module enabled could be halted by anyone with the ability to send transactions on that chain. Recovery would require applying the patch and rolling back the latest block. Users are advised to update to version 0.44.2.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-2p6r-37p9-89p2
Patch, Third Party Advisory x_refsource_misc
https://github.com/cosmos/cosmos-sdk/commit/68ab790a761e80d3674f821794cf18ccbfed45ee
Exploit, Vendor Advisory x_refsource_misc
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349
Scores
CVSS v3
6.5
EPSS
0.0166
EPSS Percentile
73.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-754
Status
published
Products (2)
cosmos/cosmos-sdk
0.43.0 - 0.44.2Go
interchain/cosmos_sdk
0.43.0 - 0.44.2
Published
Oct 20, 2021
Tracked Since
Feb 18, 2026