data/reports: add GO-2024-2638.yaml

Aliases: GHSA-95rx-m9m5-m94v

Fixes #2638

Change-Id: I8e85f92e3911373f467011ddf030da5dd2e40e6c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/584757
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>

data/osv/GO-2024-2638.json

@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2638",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-95rx-m9m5-m94v"
+  ],
+  "summary": "ValidateVoteExtensions function in Cosmos SDK may allow incorrect voting power assumptions in github.com/cosmos/cosmos-sdk",
+  "details": "The default ValidateVoteExtensions helper function infers total voting power based on the injected VoteExtension, which are injected by the proposer.\n\nIf your chain utilizes the ValidateVoteExtensions helper in ProcessProposal, a dishonest proposer can potentially mutate voting power of each validator it includes in the injected VoteExtension, which could have potentially unexpected or negative consequences on modified state. Additional validation on injected VoteExtension data was added to confirm voting power against the state machine.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/cosmos/cosmos-sdk",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.50.0"
+            },
+            {
+              "fixed": "0.50.5"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cosmos/cosmos-sdk/baseapp",
+            "symbols": [
+              "ValidateVoteExtensions"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-95rx-m9m5-m94v"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cosmos/cosmos-sdk/commit/4467110df40797ebe916c23ebfd45c9ee7583897"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.5"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2638"
+  }
+}

data/reports/GO-2024-2638.yaml

@@ -0,0 +1,32 @@
+id: GO-2024-2638
+modules:
+    - module: github.com/cosmos/cosmos-sdk
+      versions:
+        - introduced: 0.50.0
+          fixed: 0.50.5
+      vulnerable_at: 0.50.4
+      packages:
+        - package: github.com/cosmos/cosmos-sdk/baseapp
+          symbols:
+            - ValidateVoteExtensions
+summary: |-
+    ValidateVoteExtensions function in Cosmos SDK may allow incorrect voting
+    power assumptions in github.com/cosmos/cosmos-sdk
+description: |-
+    The default ValidateVoteExtensions helper function infers total voting power
+    based on the injected VoteExtension, which are injected by the proposer.
+
+    If your chain utilizes the ValidateVoteExtensions helper in ProcessProposal, a
+    dishonest proposer can potentially mutate voting power of each validator it
+    includes in the injected VoteExtension, which could have potentially unexpected
+    or negative consequences on modified state. Additional validation on injected
+    VoteExtension data was added to confirm voting power against the state machine.
+ghsas:
+    - GHSA-95rx-m9m5-m94v
+references:
+    - advisory: https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-95rx-m9m5-m94v
+    - fix: https://github.com/cosmos/cosmos-sdk/commit/4467110df40797ebe916c23ebfd45c9ee7583897
+    - web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.5
+source:
+    id: GHSA-95rx-m9m5-m94v
+    created: 2024-05-10T15:59:33.780326-04:00