CVE-2020-5303: 
NixOS vulnerability analysis and mitigation

CVE-2020-5303 affects Tendermint versions before 0.33.3, 0.32.10, and 0.31.12. The vulnerability was discovered and disclosed in April 2020, impacting Tendermint's P2P connection handling mechanism. This denial-of-service vulnerability stems from two distinct issues in the software's peer connection management system (GitHub Advisory).

The vulnerability consists of two denial-of-service vectors: 1) Tendermint does not limit the number of P2P connection requests, allocating memory for each connection that, while eventually garbage collected, can cause temporary memory spikes leading to Out-Of-Memory (OOM) exceptions. 2) The software fails to properly reclaim activeID of a peer after removal in the Mempool reactor, specifically when a connection fails before Peer creation and addition to all reactors. This leads to continuous memory growth in the activeIDs map, which has a maximum size of 65535 entries (GitHub Advisory).

The vulnerability affects all full nodes except validators behind closed networks. When exploited, it causes the node's memory usage to increase progressively until it either panics in the mempool or crashes due to Out-Of-Memory conditions. The CVSS v3.1 base score is 3.7 (Low) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

The issues have been patched in Tendermint versions 0.33.3, 0.32.10, and 0.31.12. The fix includes limiting the total number of P2P incoming connection requests to p2p.max_num_inbound_peers + len(p2p.unconditional_peer_ids) and implementing proper activeID management by claiming it during InitPeer execution before MConnection starts. No workarounds are available for unpatched versions (GitHub Advisory).