GHSA-4j93-fm92-rp4m: 
vulnerability analysis and mitigation

A vulnerability (GHSA-4j93-fm92-rp4m) was identified in the Cosmos SDK's x/auth/vesting module, affecting versions <= 0.50.3 and <= 0.47.8. The vulnerability, discovered on January 30, 2024, allows users to create periodic vesting accounts on blocked addresses, such as non-initialized module accounts. This security issue has been assigned a moderate severity rating with a CVSS score of 6.5 (GitHub Advisory).

The vulnerability stems from missing validation in the BlockedAddressed functionality within the vesting module. A variant of this issue was later discovered affecting the x/authz and x/feegrant modules. The issue primarily manifests when an uninitialized account is called by GetModuleAccount in Begin/EndBlock of a module. The vulnerability has been assigned CWE-20 classification and received a CVSS v3.1 base score of 6.5 with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The primary impact of this vulnerability is a potential Denial of Service (DoS) condition. If triggered, the vulnerability can lead to a chain halt when an uninitialized account is called by GetModuleAccount in Begin/EndBlock of a module. While the combination of an uninitialized blocked module account is not common, the potential for chain disruption makes this a significant concern (GitHub Advisory).

The vulnerability has been patched in versions 0.50.4 and 0.47.9 of the Cosmos SDK. Chain operators are advised to proactively initialize blocked module accounts, as these are typically initialized during chain migration or init genesis. Chain developers using affected versions should update to the latest available version of the Cosmos SDK. Network operators are recommended to ensure that 2/3 of the validator power upgrades to the patched versions (SDK Release, GitHub Advisory).