x/vulndb: potential Go vuln in github.com/tharsis/evmos: CVE-2022-24738

[GoVulnBot]

In CVE-2022-24738, the reference URL github.com/tharsis/evmos (and possibly others) refers to something in Go.

• Commit: evmos/evmos@2887025

module: github.com/tharsis/evmos
package: evmos
description: |
    Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. In versions of evmos prior to 2.0.1 attackers are able to drain unclaimed funds from user addresses. To do this an attacker must create a new chain which does not enforce signature verification and connects it to the target evmos instance. The attacker can use this joined chain to transfer unclaimed funds. Users are advised to upgrade. There are no known workarounds for this issue.
cves:
  - CVE-2022-24738
links:
    commit: https://github.com/tharsis/evmos/commit/28870258d4ee9f1b8aeef5eba891681f89348f71
    context:
      - https://github.com/tharsis/evmos/releases/tag/v2.0.1
      - https://github.com/tharsis/evmos/security/advisories/GHSA-5jgq-x857-p8xw

See doc/triage.md for instructions on how to triage this report.

[neild]

This appears to be a vulnerability in application code, not a package end-users are expected to import. The actual fix does seem to be in a public package (github.com/tharsis/evmos/v2/x/claims/keeper), but this doesn't look a package intended for general use and the vulnerability announcement recommends upgrading applications, not libraries.

[gopherbot]

Change https://go.dev/cl/592767 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607216 mentions this issue: data/reports: unexclude 20 reports (14)