x/vulndb: potential Go vuln in github.com/cheqd/cheqd-node: GHSA-8qxh-2gh8-r923

[GoVulnBot]

In GitHub Security Advisory GHSA-8qxh-2gh8-r923, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/cheqd/cheqd-node	1.4.4	< 1.4.4

Cross references:

• Module github.com/cheqd/cheqd-node appears in issue x/vulndb: potential Go vuln in github.com/cheqd/cheqd-node: GHSA-j92c-mmf7-j5x5 #1066 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/cheqd/cheqd-node
      versions:
        - fixed: 1.4.4
      packages:
        - package: github.com/cheqd/cheqd-node
summary: cheqd-node subject to Cosmos SDK "Barberry" vulnerability
description: |
    ### Impact
    This [vulnerability dubbed "Barberry" affects the Cosmos SDK framework](https://forum.cosmos.network/t/cosmos-sdk-security-advisory-barberry/10825) used by `cheqd-node` as base.

    It impacts the way Cosmos SDK handles vesting accounts, and can therefore be a high-impact vulnerability for any network running the framework.

    There is no vulnerability in the DID/resource modules for `cheqd-node`.

    ### Patches
    Node operators are requested to upgrade to [cheqd-node v1.4.4](https://github.com/cheqd/cheqd-node/releases/tag/v1.4.4). This is not a state-breaking release and does not require a coordinated upgrade across all node operators.

    This vulnerability was patched in [Cosmos SDK v0.46.13](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.13). Since this version switches to Go v1.19 and also changes the namespace of many Cosmos protobuf packages, the Barberry fix was [backported to cheqd's fork of Cosmos SDK](https://github.com/cheqd/cosmos-sdk/releases/tag/v0.46.10-barberry).

    ### Mitigation
    When at least ~**33**% of the voting power of the network has deployed the recommended version of the software, any attack would be unsuccessful but cause a chain halt.

    Once at least ~**67**% of the voting power of the network has deployed recommended version of the software, the attack would be unsuccessful _without_ a chain halt.

    ### Workarounds
    No. Node operators are recommended to upgrade to the latest release version.

    ### References
    - ["Barberry" vulnerability security advisory](https://forum.cosmos.network/t/cosmos-sdk-security-advisory-barberry/10825)
    - [Cosmos SDK v0.46.13 release notes](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.13)
ghsas:
    - GHSA-8qxh-2gh8-r923
references:
    - advisory: https://github.com/cheqd/cheqd-node/security/advisories/GHSA-8qxh-2gh8-r923
    - web: https://forum.cosmos.network/t/cosmos-sdk-security-advisory-barberry/10825
    - web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.13
    - advisory: https://github.com/advisories/GHSA-8qxh-2gh8-r923

[neild]

Filed an issue for the upstream vulnerability: #1861

[gopherbot]

Change https://go.dev/cl/503837 mentions this issue: data/excluded: batch add 21 excluded reports