x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-555p-m4v6-cqxv

[GoVulnBot]

In GitHub Security Advisory GHSA-555p-m4v6-cqxv, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/cometbft/cometbft		<= 0.38.5

Cross references:

• Module github.com/cometbft/cometbft appears in issue x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hq58-p9mv-338c #2092 NOT_A_VULNERABILITY
• Module github.com/cometbft/cometbft appears in issue x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34450 #1882
• Module github.com/cometbft/cometbft appears in issue x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34451 #1883
• Module github.com/cometbft/cometbft appears in issue x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-qr8r-m495-7hc4 #2471

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/cometbft/cometbft
      versions:
        - {}
      vulnerable_at: 0.38.5
      packages:
        - package: github.com/cometbft/cometbft
summary: |-
    ASA-2024-004: Default configuration param for Evidence may limit window of
    validity
ghsas:
    - GHSA-555p-m4v6-cqxv
references:
    - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-555p-m4v6-cqxv
    - advisory: https://github.com/advisories/GHSA-555p-m4v6-cqxv

[jba]

The report says that "a default configuration in CometBFT has been found to be small for common use cases" and refers to EvidenceParams. But the DefaultEvidenceParams function that supplies these defaults has not been changed in two years.

[jba]

Our rationale for that label is that govulncheck has nothing to base a report on. It would give false positives to anyone who adjusted the defaults appropriately, as well as anyone who used the defaults in a situation where they made sense.

[gopherbot]

Change https://go.dev/cl/569495 mentions this issue: data/excluded: batch add 11 excluded reports