Name of the Vulnerable Software and Affected Versions Cosmovisor versions prior to v1.0.0

Description An issue has been identified in Cosmovisor that may result in a Denial of Service or Remote Code Execution path depending on configuration for a node or validator using the vulnerable version to manage their node. If a validator is utilizing an affected version of Cosmovisor with DAEMON ALLOW DOWNLOAD BINARIES set to true, it may be possible for an attacker to trigger a Remote Code Execution path as well on the host.

Recommendations For Cosmovisor versions prior to v1.0.0, immediately stop use of the DAEMON ALLOW DOWNLOAD BINARIES feature if it is set to true, and then proceed with an upgrade of Cosmovisor to the latest supported version, which is v1.5.0 at the time of this advisory. If you are utilizing a forked version of Cosmos-SDK, stop use of Cosmovisor until it is possible to update to a supported version of Cosmovisor.