Vulnerabilites related to ethereum - go_ethereum
Vulnerability from fkie_nvd
Published
2018-09-08 15:29
Modified
2024-11-21 03:53
Severity ?
Summary
In Go Ethereum (aka geth) before 1.8.14, TraceChain in eth/api_tracer.go does not verify that the end block is after the start block.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F93269F8-359B-4193-AD4F-B1460EF91789",
"versionEndExcluding": "1.8.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Go Ethereum (aka geth) before 1.8.14, TraceChain in eth/api_tracer.go does not verify that the end block is after the start block."
},
{
"lang": "es",
"value": "En Go Ethereum (tambi\u00e9n conocido como geth) en versiones anteriores a la 1.8.14, TraceChain en eth/api_tracer.go no verifica que el bloque final est\u00e9 tras el bloque de inicio."
}
],
"id": "CVE-2018-16733",
"lastModified": "2024-11-21T03:53:15.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-09-08T15:29:00.877",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/commit/106d196ec4a6451efedc60ab15957f231fa85639"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/commit/106d196ec4a6451efedc60ab15957f231fa85639"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-25 02:15
Modified
2024-11-21 05:19
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Summary
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the RETURNDATACOPY opcode. When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y. This is fixed in version 1.9.17.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CCB0BFE8-F276-4F8D-AAF0-03336C90C249",
"versionEndExcluding": "1.9.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth\u0027s pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the RETURNDATACOPY opcode. When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y. This is fixed in version 1.9.17."
},
{
"lang": "es",
"value": "Go Ethereum, o \"Geth\", es la implementaci\u00f3n oficial Golang del protocolo Ethereum.\u0026#xa0;Esta es una vulnerabilidad de Consensus en Geth versiones anteriores a 1.9.17 que puede ser usada para causar una divisi\u00f3n de cadena donde unos nodos vulnerables rechazan la cadena can\u00f3nica.\u0026#xa0;El contrato de copia de datos precompilado de Geth (en 0x00 ... 04) hizo una copia superficial en la invocaci\u00f3n.\u0026#xa0;Un atacante podr\u00eda implementar un contrato que escribe X en una regi\u00f3n de memoria R de EVM, luego llama a 0x00..04 con R como argumento, luego sobrescribe R en Y y finalmente invoca el c\u00f3digo de operaci\u00f3n RETURNDATACOPY.\u0026#xa0;Cuando este contrato es invocado, un nodo consensus-compliant empujar\u00eda X en la pila de EVM, mientras que Geth empujar\u00eda Y. Esto es corregido en la versi\u00f3n 1.9.17"
}
],
"id": "CVE-2020-26241",
"lastModified": "2024-11-21T05:19:37.783",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-25T02:15:11.047",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-682"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-18 16:15
Modified
2024-11-21 06:29
Severity ?
Summary
Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ethereum/go-ethereum/issues/23866 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ethereum/go-ethereum/issues/23866 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | 1.10.9 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:1.10.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AB7CCF6D-23C7-4373-BE4C-A6AE336F38E6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with \"runtime error: invalid memory address or nil pointer dereference\" and arise a SEGV signal."
},
{
"lang": "es",
"value": "Los nodos de Go-Ethereum 1.10.9 son bloqueados (denegaci\u00f3n de servicio) despu\u00e9s de recibir una serie de mensajes y no pueden recuperarse. Ser\u00e1n bloqueados con \"runtime error: invalid memory address or nil pointer dereference\" y surgir\u00e1 una se\u00f1al SEGV."
}
],
"id": "CVE-2021-43668",
"lastModified": "2024-11-21T06:29:34.947",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-18T16:15:09.230",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/issues/23866"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/issues/23866"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-04 12:15
Modified
2024-11-21 06:48
Severity ?
Summary
A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS).
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://ethereum.com | Broken Link, Not Applicable | |
| cve@mitre.org | http://go-ethereum.com | Broken Link | |
| cve@mitre.org | https://dl.acm.org/doi/pdf/10.1145/3460120.3485369 | Exploit, Mitigation, Technical Description, Third Party Advisory | |
| cve@mitre.org | https://tristartom.github.io/docs/ccs21.pdf | Exploit, Mitigation, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://ethereum.com | Broken Link, Not Applicable | |
| af854a3a-2127-422b-91ae-364da2661108 | http://go-ethereum.com | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dl.acm.org/doi/pdf/10.1145/3460120.3485369 | Exploit, Mitigation, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tristartom.github.io/docs/ccs21.pdf | Exploit, Mitigation, Technical Description, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1E13B619-FD43-44BF-88ED-AEE770DFFF0B",
"versionEndIncluding": "1.10.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node\u0027s memory pool, causing a denial of service (DoS)."
},
{
"lang": "es",
"value": "Un fallo de dise\u00f1o en Go-Ethereum versiones 1.10.12 y versiones anteriores, permite a un nodo atacante enviar 5120 transacciones futuras con un precio de gas elevado en un solo mensaje, lo que puede purgar todas las transacciones pendientes en el pool de memoria de un nodo v\u00edctima, causando una denegaci\u00f3n de servicio (DoS)"
}
],
"id": "CVE-2022-23327",
"lastModified": "2024-11-21T06:48:24.577",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-04T12:15:07.880",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Not Applicable"
],
"url": "http://ethereum.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://go-ethereum.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mitigation",
"Technical Description",
"Third Party Advisory"
],
"url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mitigation",
"Technical Description",
"Third Party Advisory"
],
"url": "https://tristartom.github.io/docs/ccs21.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Not Applicable"
],
"url": "http://ethereum.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://go-ethereum.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Technical Description",
"Third Party Advisory"
],
"url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Technical Description",
"Third Party Advisory"
],
"url": "https://tristartom.github.io/docs/ccs21.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-04 12:15
Modified
2024-11-21 06:48
Severity ?
Summary
A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS).
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://ethereum.com | Product | |
| cve@mitre.org | http://go-ethereum.com | Product | |
| cve@mitre.org | https://dl.acm.org/doi/pdf/10.1145/3460120.3485369 | Exploit, Mitigation, Technical Description, Third Party Advisory | |
| cve@mitre.org | https://tristartom.github.io/docs/ccs21.pdf | Exploit, Mitigation, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://ethereum.com | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | http://go-ethereum.com | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dl.acm.org/doi/pdf/10.1145/3460120.3485369 | Exploit, Mitigation, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tristartom.github.io/docs/ccs21.pdf | Exploit, Mitigation, Technical Description, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4ABAEF23-8A63-4075-B552-9EE146AF06E8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node\u0027s memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS)."
},
{
"lang": "es",
"value": "Un fallo de dise\u00f1o en todas las versiones de Go-Ethereum permite que un nodo atacante env\u00ede 5120 transacciones pendientes de un precio de gas elevado desde una cuenta que gaste todo el saldo de la cuenta a un nodo Geth v\u00edctima, que puede purgar todas las transacciones pendientes en el pool de memoria de un nodo v\u00edctima y luego ocupar el pool de memoria para evitar que entren nuevas transacciones en el pool, resultando en una denegaci\u00f3n de servicio (DoS)"
}
],
"id": "CVE-2022-23328",
"lastModified": "2024-11-21T06:48:24.750",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-04T12:15:07.930",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://ethereum.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://go-ethereum.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mitigation",
"Technical Description",
"Third Party Advisory"
],
"url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mitigation",
"Technical Description",
"Third Party Advisory"
],
"url": "https://tristartom.github.io/docs/ccs21.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://ethereum.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://go-ethereum.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Technical Description",
"Third Party Advisory"
],
"url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Technical Description",
"Third Party Advisory"
],
"url": "https://tristartom.github.io/docs/ccs21.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-12-24 03:29
Modified
2024-11-21 04:01
Severity ?
Summary
Go Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of service (memory consumption) by rewriting the length of a dynamic array in memory, and then writing data to a single memory location with a large index number, as demonstrated by use of "assembly { mstore }" followed by a "c[0xC800000] = 0xFF" assignment.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ethereum/go-ethereum/issues/18289 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ethereum/go-ethereum/issues/18289 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | 1.8.19 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:1.8.19:*:*:*:*:*:*:*",
"matchCriteriaId": "62904AD1-8114-4802-94E1-D19C48CBF8FD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of service (memory consumption) by rewriting the length of a dynamic array in memory, and then writing data to a single memory location with a large index number, as demonstrated by use of \"assembly { mstore }\" followed by a \"c[0xC800000] = 0xFF\" assignment."
},
{
"lang": "es",
"value": "Go Ethereum (tambi\u00e9n conocido como geth) 1.8.19 permite que los atacantes provoquen una denegaci\u00f3n de servicio (consumo de memoria) mediante la reescritura de la longitud de un array din\u00e1mico en la memoria y, a continuaci\u00f3n, la escritura de datos a una \u00fanica ubicaci\u00f3n de memoria con un n\u00famero de \u00edndice largo. Esto queda demostrado por el uso de \"assembly { mstore }\", seguido por una asignaci\u00f3n \"c[0xC800000] = 0xFF\"."
}
],
"id": "CVE-2018-20421",
"lastModified": "2024-11-21T04:01:26.680",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-12-24T03:29:00.353",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/issues/18289"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/issues/18289"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-11-12 02:29
Modified
2024-11-21 03:57
Severity ?
Summary
cmd/evm/runner.go in Go Ethereum (aka geth) 1.8.17 allows attackers to cause a denial of service (SEGV) via crafted bytecode.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ethereum/go-ethereum/issues/18069 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ethereum/go-ethereum/issues/18069 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | 1.8.17 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:1.8.17:*:*:*:*:*:*:*",
"matchCriteriaId": "1CC537BA-D6E3-439C-BF45-7570B1925E76",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "cmd/evm/runner.go in Go Ethereum (aka geth) 1.8.17 allows attackers to cause a denial of service (SEGV) via crafted bytecode."
},
{
"lang": "es",
"value": "cmd/evm/runner.go en Go Ethereum (alias geth) 1.8.17 permite a los atacantes provocar una denegaci\u00f3n de servicio (SEGV) mediante un c\u00f3digo de bytes manipulado."
}
],
"id": "CVE-2018-19184",
"lastModified": "2024-11-21T03:57:29.753",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-11-12T02:29:00.357",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/issues/18069"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/issues/18069"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-18 06:15
Modified
2024-11-21 08:22
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F95B53F3-82D4-46BF-9494-4F2CCBCF1881",
"versionEndIncluding": "1.13.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor\u0027s position is that the \"graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic."
},
{
"lang": "es",
"value": "Geth (tambi\u00e9n conocido como go-ethereum) hasta 1.13.4, cuando se usa --http --graphql, permite a atacantes remotos provocar una Denegaci\u00f3n de Servicio (consumo de memoria y bloqueo del daemon) a trav\u00e9s de una consulta GraphQL manipulada. NOTA: la posici\u00f3n del proveedor es que \"el endpoint Graphql [no est\u00e1] dise\u00f1ado para resistir ataques de clientes hostiles ni para manejar grandes cantidades de clientes/tr\u00e1fico."
}
],
"id": "CVE-2023-42319",
"lastModified": "2024-11-21T08:22:25.583",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-10-18T06:15:07.893",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://blog.mevsec.com/posts/geth-dos-with-graphql/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://geth.ethereum.org/docs/fundamentals/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://blog.mevsec.com/posts/geth-dos-with-graphql/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://geth.ethereum.org/docs/fundamentals/security"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-07-05 02:29
Modified
2024-11-21 03:44
Severity ?
Summary
The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an access violation because of an integer signedness error for the array index, which allows attackers to launch a Denial of Service attack by sending a packet with a -1 query.Skip value. The vulnerable remote node would be crashed by such an attack immediately, aka the EPoD (Ethereum Packet of Death) issue.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/ethereum/go-ethereum/pull/16891 | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/ethereum/go-ethereum/releases/tag/v1.8.11 | Third Party Advisory | |
| cve@mitre.org | https://peckshield.com/2018/06/27/EPoD/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ethereum/go-ethereum/pull/16891 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ethereum/go-ethereum/releases/tag/v1.8.11 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://peckshield.com/2018/06/27/EPoD/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CCDC4446-D7A9-4DCF-99A9-CBC521D3B46D",
"versionEndExcluding": "1.8.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an access violation because of an integer signedness error for the array index, which allows attackers to launch a Denial of Service attack by sending a packet with a -1 query.Skip value. The vulnerable remote node would be crashed by such an attack immediately, aka the EPoD (Ethereum Packet of Death) issue."
},
{
"lang": "es",
"value": "El manipulador GetBlockHeadersMsg en la implementaci\u00f3n del protocolo LES en Go Ethereum (tambi\u00e9n conocido como geth) en versiones anteriores a la1.8.11 puede conducir a una infracci\u00f3n de acceso debido a un error en la propiedad signedness de un n\u00famero entero para el \u00edndice del array, lo que permite que los atacantes lancen un ataque de denegaci\u00f3n de servicio (DoS) enviando un paquete con un valor -1 query.Skip. El nodo remoto vulnerable se cerrar\u00eda de manera inesperada por dicho ataque inmediatamente, tambi\u00e9n conocido como vulnerabilidad EPoD (Ethereum Packet of Death)."
}
],
"id": "CVE-2018-12018",
"lastModified": "2024-11-21T03:44:25.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-05T02:29:00.247",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/pull/16891"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.8.11"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://peckshield.com/2018/06/27/EPoD/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/pull/16891"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.8.11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://peckshield.com/2018/06/27/EPoD/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-129"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-24 16:15
Modified
2024-11-21 06:18
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
go-ethereum is the official Go implementation of the Ethereum protocol. In affected versions a consensus-vulnerability in go-ethereum (Geth) could cause a chain split, where vulnerable versions refuse to accept the canonical chain. Further details about the vulnerability will be disclosed at a later date. A patch is included in the upcoming `v1.10.8` release. No workaround are available.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "674FB5E2-9389-46B4-959D-D9532B62E23C",
"versionEndExcluding": "1.10.8",
"versionStartIncluding": "1.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "go-ethereum is the official Go implementation of the Ethereum protocol. In affected versions a consensus-vulnerability in go-ethereum (Geth) could cause a chain split, where vulnerable versions refuse to accept the canonical chain. Further details about the vulnerability will be disclosed at a later date. A patch is included in the upcoming `v1.10.8` release. No workaround are available."
},
{
"lang": "es",
"value": "go-ethereum es la implementaci\u00f3n oficial Go del protocolo Ethereum. En versiones afectadas, una vulnerabilidad de consenso en go-ethereum (Geth) podr\u00eda causar una divisi\u00f3n de cadena, donde las versiones vulnerables se niegan a aceptar la cadena can\u00f3nica. M\u00e1s adelante se divulgar\u00e1n m\u00e1s detalles sobre la vulnerabilidad. Se incluye un parche en la pr\u00f3xima versi\u00f3n \"v1.10.8\". No se presentan soluciones disponibles."
}
],
"id": "CVE-2021-39137",
"lastModified": "2024-11-21T06:18:40.150",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-24T16:15:11.007",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.10.8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-9856-9gg9-qcmq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.10.8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-9856-9gg9-qcmq"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-436"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-436"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-25 02:15
Modified
2024-11-21 05:19
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E292A6FD-4230-4B0F-A36F-717C359940E3",
"versionEndExcluding": "1.9.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18."
},
{
"lang": "es",
"value": "Go Ethereum, o \"Geth\", es la implementaci\u00f3n oficial de Golang del protocolo Ethereum.\u0026#xa0;En Geth versiones anteriores a 1.9.18, se presenta una Denegaci\u00f3n de servicio (bloqueo) durante el procesamiento de bloques.\u0026#xa0;Esto es corregido en la versi\u00f3n 1.9.18"
}
],
"id": "CVE-2020-26242",
"lastModified": "2024-11-21T05:19:37.950",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-25T02:15:11.127",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-25 02:15
Modified
2024-11-21 05:19
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9FD25FC5-2D0F-41D2-BE6E-34EF9AFA0A08",
"versionEndExcluding": "1.9.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24"
},
{
"lang": "es",
"value": "Go Ethereum, o \"Geth\", es la implementaci\u00f3n oficial de Golang del protocolo Ethereum.\u0026#xa0;Un fallo de generaci\u00f3n DAG de miner\u00eda ethash en Geth versiones anteriores a 1.9.24, podr\u00eda causar a unos mineros calcular err\u00f3neamente PoW en una \u00e9poca pr\u00f3xima (estimada a principios de enero de 2021).\u0026#xa0;Esto sucedi\u00f3 en la cadena ETC el 06-11-2020.\u0026#xa0;Este problema es relevante solo para mineros, los nodos que no son mineros no est\u00e1n afectados.\u0026#xa0;Este problema es corregido desde la versi\u00f3n 1.9.24"
}
],
"id": "CVE-2020-26240",
"lastModified": "2024-11-21T05:19:37.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-25T02:15:10.923",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/pull/21793"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/pull/21793"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-682"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-682"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-20 17:15
Modified
2024-11-21 06:58
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17, a vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. Version 1.10.17 contains a patch that addresses the problem. As a workaround, setting loglevel to default level (`INFO`) makes the node not vulnerable to this attack.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/ethereum/go-ethereum/pull/24507 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/ethereum/go-ethereum/security/advisories/GHSA-wjxw-gh3m-7pm5 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ethereum/go-ethereum/pull/24507 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ethereum/go-ethereum/security/advisories/GHSA-wjxw-gh3m-7pm5 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5562E213-FCDE-4324-BB21-DB2FF0A2D58D",
"versionEndExcluding": "1.10.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17, a vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. Version 1.10.17 contains a patch that addresses the problem. As a workaround, setting loglevel to default level (`INFO`) makes the node not vulnerable to this attack."
},
{
"lang": "es",
"value": "Go Ethereum es la implementaci\u00f3n oficial en Golang del protocolo Ethereum. En versiones anteriores a 1.10.17, un nodo vulnerable, si est\u00e1 configurado para usar un registro de alta verbosidad, puede ser hecho caer cuando maneja mensajes p2p especialmente dise\u00f1ados enviados desde un nodo atacante. La versi\u00f3n 1.10.17 contiene un parche que aborda el problema. Como mitigaci\u00f3n, establecer el nivel de registro al nivel por defecto (\"INFO\") hace que el nodo no sea vulnerable a este ataque"
}
],
"id": "CVE-2022-29177",
"lastModified": "2024-11-21T06:58:38.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-20T17:15:07.797",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/pull/24507"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-wjxw-gh3m-7pm5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/pull/24507"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-wjxw-gh3m-7pm5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-11 17:15
Modified
2024-11-21 05:19
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5AC7FBD4-34A5-414C-BBBA-2512124CFBF0",
"versionEndExcluding": "1.9.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25."
},
{
"lang": "es",
"value": "Go Ethereum, o \"Geth\", es la implementaci\u00f3n oficial de Golang del protocolo Ethereum.\u0026#xa0;En Geth versiones anteriores a 1.9.25, una vulnerabilidad de Denegaci\u00f3n de Servicio puede hacer a un servidor LES bloquearse por medio de una petici\u00f3n GetProofsV2 maliciosa de un cliente LES conectado.\u0026#xa0;Esta vulnerabilidad solo afecta a usuarios que habilitan expl\u00edcitamente el servidor de archivos;\u0026#xa0;deshabilitar archivos evita la explotaci\u00f3n.\u0026#xa0;La vulnerabilidad fue parcheada en versi\u00f3n 1.9.25"
}
],
"id": "CVE-2020-26264",
"lastModified": "2024-11-21T05:19:41.910",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-11T17:15:12.793",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/pull/21896"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/pull/21896"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-26 14:15
Modified
2024-11-21 06:25
Severity ?
Summary
Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known workarounds aside from upgrading.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA383AD6-A083-453C-BED8-C2C8BCCDEEDE",
"versionEndExcluding": "1.10.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known workarounds aside from upgrading."
},
{
"lang": "es",
"value": "Go Ethereum es la implementaci\u00f3n oficial en Golang del protocolo Ethereum. En versiones anteriores a 1.10.9, un nodo vulnerable es susceptible de bloquearse cuando procesa un mensaje maliciosamente dise\u00f1ado de un compa\u00f1ero. La versi\u00f3n v1.10.9 contiene parches para la vulnerabilidad. No se conocen soluciones aparte de la actualizaci\u00f3n"
}
],
"id": "CVE-2021-41173",
"lastModified": "2024-11-21T06:25:40.247",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2021-10-26T14:15:08.130",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/commit/e40b37718326b8b4873b3b00a0db2e6c6d9ea738"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/pull/23801"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.10.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-59hh-656j-3p7v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/commit/e40b37718326b8b4873b3b00a0db2e6c6d9ea738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/pull/23801"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.10.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-59hh-656j-3p7v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-17 00:15
Modified
2024-11-21 06:27
Severity ?
Summary
Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | 1.10.9 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:1.10.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AB7CCF6D-23C7-4373-BE4C-A6AE336F38E6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go."
},
{
"lang": "es",
"value": "Se ha detectado que Go-Ethereum versi\u00f3n v1.10.9, contiene un problema que permite a atacantes causar una denegaci\u00f3n de servicio (DoS) por medio del env\u00edo de una cantidad excesiva de mensajes a un nodo. Esto es causado por una falta de memoria en el componente /ethash/algorithm.go"
}
],
"id": "CVE-2021-42219",
"lastModified": "2024-11-21T06:27:25.247",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-17T00:15:07.813",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://docs.google.com/document/d/1dYFSpNZPC0OV-n1mMqdc269u9yYU1XQy/edit?usp=sharing\u0026ouid=112110745137218798745\u0026rtpof=true\u0026sd=true"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://docs.google.com/document/d/1dYFSpNZPC0OV-n1mMqdc269u9yYU1XQy/edit?usp=sharing\u0026ouid=112110745137218798745\u0026rtpof=true\u0026sd=true"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-11 17:15
Modified
2024-11-21 05:19
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included in the Paragade release version 1.9.20. No individual workaround patches have been made -- all users are recommended to upgrade to a newer version.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4C13B50-B285-47E5-B7D3-00E4C6D5FCFA",
"versionEndExcluding": "1.9.20",
"versionStartIncluding": "1.9.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included in the Paragade release version 1.9.20. No individual workaround patches have been made -- all users are recommended to upgrade to a newer version."
},
{
"lang": "es",
"value": "Go Ethereum, o \"Geth\", es la implementaci\u00f3n oficial de Golang del protocolo Ethereum.\u0026#xa0;En Geth desde versi\u00f3n 1.9.4 y versiones anteriores a 1.9.20, una vulnerabilidad de consenso podr\u00eda causar una divisi\u00f3n de cadena, donde unas versiones vulnerables se niegan a aceptar la cadena can\u00f3nica.\u0026#xa0;La correcci\u00f3n se incluy\u00f3 en versi\u00f3n 1.9.20 de la versi\u00f3n de Paragade.\u0026#xa0;No han sido hechos parches de soluci\u00f3n individual; se recomienda a todos los usuarios actualizar a una versi\u00f3n m\u00e1s reciente"
}
],
"id": "CVE-2020-26265",
"lastModified": "2024-11-21T05:19:42.103",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-11T17:15:12.870",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.20"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-xw37-57qp-9mm4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.20"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-xw37-57qp-9mm4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-682"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-682"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-05 21:15
Modified
2024-11-21 07:15
Severity ?
Summary
Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA2DEA63-8338-4869-83DA-D5ED75A6D76B",
"versionEndIncluding": "1.10.21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022."
},
{
"lang": "es",
"value": "Go Ethereum (tambi\u00e9n se conoce como geth) versiones hasta 1.10.21, permite a atacantes aumentar las recompensas mediante la miner\u00eda de bloques en determinadas situaciones, y el uso de una manipulaci\u00f3n de los valores de diferencia de tiempo para lograr el reemplazo de los bloques de la cadena principal, tambi\u00e9n se conoce como Riskless Uncle Making (RUM), como es explotado \"in the wild\" en 2020 hasta 2022"
}
],
"id": "CVE-2022-37450",
"lastModified": "2024-11-21T07:15:00.200",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-05T21:15:09.087",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://dx.doi.org/10.13140/RG.2.2.27813.99043"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94"
},
{
"source": "cve@mitre.org",
"url": "https://medium.com/%40aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://news.ycombinator.com/item?id=32354896"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://dx.doi.org/10.13140/RG.2.2.27813.99043"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://medium.com/%40aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://news.ycombinator.com/item?id=32354896"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-06 19:15
Modified
2024-11-21 08:19
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ethereum | go_ethereum | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0BB58DD3-06EB-4264-A101-4274CF19120E",
"versionEndExcluding": "1.12.1",
"versionStartIncluding": "1.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"
},
{
"lang": "es",
"value": "go-ethereum (geth) es una implementaci\u00f3n de la capa de ejecuci\u00f3n golang del protocolo Ethereum. Se puede hacer que un nodo vulnerable consuma cantidades ilimitadas de memoria cuando se manejan mensajes p2p especialmente manipulados enviados desde un nodo atacante. La correcci\u00f3n se incluye en la versi\u00f3n de geth \u00271.12.1-stable\u0027, es decir, \u00271.12.2-unstable\u0027 y posteriores. Se recomienda a los usuarios que actualicen. No hay workarounds conocidas para esta vulnerabilidad."
}
],
"id": "CVE-2023-40591",
"lastModified": "2024-11-21T08:19:46.860",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-06T19:15:44.100",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
CVE-2020-26264 (GCVE-0-2020-26264)
Vulnerability from cvelistv5
Published
2020-12-11 16:45
Modified
2024-08-04 15:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ethereum | go-ethereum |
Version: < 1.9.25 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.248Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/pull/21896"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-ethereum",
"vendor": "ethereum",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.25"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-11T16:45:24",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/pull/21896"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25"
}
],
"source": {
"advisory": "GHSA-r33q-22hv-j29q",
"discovery": "UNKNOWN"
},
"title": "LES Server DoS via GetProofsV2",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26264",
"STATE": "PUBLIC",
"TITLE": "LES Server DoS via GetProofsV2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "go-ethereum",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.25"
}
]
}
}
]
},
"vendor_name": "ethereum"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q",
"refsource": "CONFIRM",
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q"
},
{
"name": "https://github.com/ethereum/go-ethereum/pull/21896",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/pull/21896"
},
{
"name": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"
},
{
"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25"
}
]
},
"source": {
"advisory": "GHSA-r33q-22hv-j29q",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26264",
"datePublished": "2020-12-11T16:45:24",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26242 (GCVE-0-2020-26242)
Vulnerability from cvelistv5
Published
2020-11-25 01:25
Modified
2024-08-04 15:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Denial-of-service
Summary
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ethereum | go-ethereum |
Version: < 1.9.18 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:03.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-ethereum",
"vendor": "ethereum",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial-of-service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-25T01:25:15",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
}
],
"source": {
"advisory": "GHSA-jm5c-rv3w-w83m",
"discovery": "UNKNOWN"
},
"title": "Denial of service in geth",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26242",
"STATE": "PUBLIC",
"TITLE": "Denial of service in geth"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "go-ethereum",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.18"
}
]
}
}
]
},
"vendor_name": "ethereum"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial-of-service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m",
"refsource": "CONFIRM",
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m"
},
{
"name": "https://blog.ethereum.org/2020/11/12/geth_security_release/",
"refsource": "MISC",
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
}
]
},
"source": {
"advisory": "GHSA-jm5c-rv3w-w83m",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26242",
"datePublished": "2020-11-25T01:25:15",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:56:03.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40591 (GCVE-0-2023-40591)
Vulnerability from cvelistv5
Published
2023-09-06 18:07
Modified
2024-09-26 15:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ethereum | go-ethereum |
Version: < 1.12.1-stable |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:38:50.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm"
},
{
"name": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures"
},
{
"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "go_ethereum",
"vendor": "ethereum",
"versions": [
{
"lessThan": "1.12.1-stable",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T14:47:36.804026Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T15:19:33.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go-ethereum",
"vendor": "ethereum",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.1-stable"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-06T18:07:20.899Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm"
},
{
"name": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures",
"tags": [
"x_refsource_MISC"
],
"url": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures"
},
{
"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1"
}
],
"source": {
"advisory": "GHSA-ppjg-v974-84cm",
"discovery": "UNKNOWN"
},
"title": "Denial of service via malicious p2p message in go-ethereum"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40591",
"datePublished": "2023-09-06T18:07:20.899Z",
"dateReserved": "2023-08-16T18:24:02.393Z",
"dateUpdated": "2024-09-26T15:19:33.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42319 (GCVE-0-2023-42319)
Vulnerability from cvelistv5
Published
2023-10-18 00:00
Modified
2024-09-13 16:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:16:51.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://geth.ethereum.org/docs/fundamentals/security"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.mevsec.com/posts/geth-dos-with-graphql/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "go_ethereum",
"vendor": "ethereum",
"versions": [
{
"lessThanOrEqual": "1.13.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-42319",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T16:24:47.041341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T16:28:14.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor\u0027s position is that the \"graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-18T05:12:02.438054",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://geth.ethereum.org/docs/fundamentals/security"
},
{
"url": "https://blog.mevsec.com/posts/geth-dos-with-graphql/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-42319",
"datePublished": "2023-10-18T00:00:00",
"dateReserved": "2023-09-08T00:00:00",
"dateUpdated": "2024-09-13T16:28:14.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23328 (GCVE-0-2022-23328)
Vulnerability from cvelistv5
Published
2022-03-04 11:24
Modified
2024-08-03 03:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS).
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:36:20.422Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://ethereum.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://go-ethereum.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tristartom.github.io/docs/ccs21.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node\u0027s memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-04T11:24:22",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://ethereum.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://go-ethereum.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tristartom.github.io/docs/ccs21.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-23328",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node\u0027s memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ethereum.com",
"refsource": "MISC",
"url": "http://ethereum.com"
},
{
"name": "http://go-ethereum.com",
"refsource": "MISC",
"url": "http://go-ethereum.com"
},
{
"name": "https://tristartom.github.io/docs/ccs21.pdf",
"refsource": "MISC",
"url": "https://tristartom.github.io/docs/ccs21.pdf"
},
{
"name": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369",
"refsource": "MISC",
"url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-23328",
"datePublished": "2022-03-04T11:24:22",
"dateReserved": "2022-01-18T00:00:00",
"dateUpdated": "2024-08-03T03:36:20.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23327 (GCVE-0-2022-23327)
Vulnerability from cvelistv5
Published
2022-03-04 11:24
Modified
2024-08-03 03:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS).
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:36:20.397Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://ethereum.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://go-ethereum.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tristartom.github.io/docs/ccs21.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node\u0027s memory pool, causing a denial of service (DoS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-04T11:24:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://ethereum.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://go-ethereum.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tristartom.github.io/docs/ccs21.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-23327",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node\u0027s memory pool, causing a denial of service (DoS)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ethereum.com",
"refsource": "MISC",
"url": "http://ethereum.com"
},
{
"name": "http://go-ethereum.com",
"refsource": "MISC",
"url": "http://go-ethereum.com"
},
{
"name": "https://tristartom.github.io/docs/ccs21.pdf",
"refsource": "MISC",
"url": "https://tristartom.github.io/docs/ccs21.pdf"
},
{
"name": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369",
"refsource": "MISC",
"url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-23327",
"datePublished": "2022-03-04T11:24:13",
"dateReserved": "2022-01-18T00:00:00",
"dateUpdated": "2024-08-03T03:36:20.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-20421 (GCVE-0-2018-20421)
Vulnerability from cvelistv5
Published
2018-12-24 03:00
Modified
2024-09-17 01:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Go Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of service (memory consumption) by rewriting the length of a dynamic array in memory, and then writing data to a single memory location with a large index number, as demonstrated by use of "assembly { mstore }" followed by a "c[0xC800000] = 0xFF" assignment.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:58:19.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/issues/18289"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of service (memory consumption) by rewriting the length of a dynamic array in memory, and then writing data to a single memory location with a large index number, as demonstrated by use of \"assembly { mstore }\" followed by a \"c[0xC800000] = 0xFF\" assignment."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-24T03:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/issues/18289"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-20421",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of service (memory consumption) by rewriting the length of a dynamic array in memory, and then writing data to a single memory location with a large index number, as demonstrated by use of \"assembly { mstore }\" followed by a \"c[0xC800000] = 0xFF\" assignment."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ethereum/go-ethereum/issues/18289",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/issues/18289"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-20421",
"datePublished": "2018-12-24T03:00:00Z",
"dateReserved": "2018-12-23T00:00:00Z",
"dateUpdated": "2024-09-17T01:41:26.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37450 (GCVE-0-2022-37450)
Vulnerability from cvelistv5
Published
2022-08-05 20:30
Modified
2024-08-03 10:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:20.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/%40aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://dx.doi.org/10.13140/RG.2.2.27813.99043"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=32354896"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-05T20:30:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/%40aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://dx.doi.org/10.13140/RG.2.2.27813.99043"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://news.ycombinator.com/item?id=32354896"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-37450",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94"
},
{
"name": "https://medium.com/@aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef",
"refsource": "MISC",
"url": "https://medium.com/@aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef"
},
{
"name": "http://dx.doi.org/10.13140/RG.2.2.27813.99043",
"refsource": "MISC",
"url": "http://dx.doi.org/10.13140/RG.2.2.27813.99043"
},
{
"name": "https://news.ycombinator.com/item?id=32354896",
"refsource": "MISC",
"url": "https://news.ycombinator.com/item?id=32354896"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37450",
"datePublished": "2022-08-05T20:30:46",
"dateReserved": "2022-08-05T00:00:00",
"dateUpdated": "2024-08-03T10:29:20.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19184 (GCVE-0-2018-19184)
Vulnerability from cvelistv5
Published
2018-11-12 02:00
Modified
2024-08-05 11:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
cmd/evm/runner.go in Go Ethereum (aka geth) 1.8.17 allows attackers to cause a denial of service (SEGV) via crafted bytecode.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:30:04.061Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/issues/18069"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-11-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "cmd/evm/runner.go in Go Ethereum (aka geth) 1.8.17 allows attackers to cause a denial of service (SEGV) via crafted bytecode."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-12T02:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/issues/18069"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-19184",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "cmd/evm/runner.go in Go Ethereum (aka geth) 1.8.17 allows attackers to cause a denial of service (SEGV) via crafted bytecode."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ethereum/go-ethereum/issues/18069",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/issues/18069"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-19184",
"datePublished": "2018-11-12T02:00:00",
"dateReserved": "2018-11-11T00:00:00",
"dateUpdated": "2024-08-05T11:30:04.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42219 (GCVE-0-2021-42219)
Vulnerability from cvelistv5
Published
2022-03-16 23:02
Modified
2024-08-04 03:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:37.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.google.com/document/d/1dYFSpNZPC0OV-n1mMqdc269u9yYU1XQy/edit?usp=sharing\u0026ouid=112110745137218798745\u0026rtpof=true\u0026sd=true"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-16T23:02:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.google.com/document/d/1dYFSpNZPC0OV-n1mMqdc269u9yYU1XQy/edit?usp=sharing\u0026ouid=112110745137218798745\u0026rtpof=true\u0026sd=true"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42219",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.google.com/document/d/1dYFSpNZPC0OV-n1mMqdc269u9yYU1XQy/edit?usp=sharing\u0026ouid=112110745137218798745\u0026rtpof=true\u0026sd=true",
"refsource": "MISC",
"url": "https://docs.google.com/document/d/1dYFSpNZPC0OV-n1mMqdc269u9yYU1XQy/edit?usp=sharing\u0026ouid=112110745137218798745\u0026rtpof=true\u0026sd=true"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42219",
"datePublished": "2022-03-16T23:02:06",
"dateReserved": "2021-10-11T00:00:00",
"dateUpdated": "2024-08-04T03:30:37.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-12018 (GCVE-0-2018-12018)
Vulnerability from cvelistv5
Published
2018-07-05 02:00
Modified
2024-08-05 08:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an access violation because of an integer signedness error for the array index, which allows attackers to launch a Denial of Service attack by sending a packet with a -1 query.Skip value. The vulnerable remote node would be crashed by such an attack immediately, aka the EPoD (Ethereum Packet of Death) issue.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:24:03.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.8.11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/pull/16891"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://peckshield.com/2018/06/27/EPoD/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-07-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an access violation because of an integer signedness error for the array index, which allows attackers to launch a Denial of Service attack by sending a packet with a -1 query.Skip value. The vulnerable remote node would be crashed by such an attack immediately, aka the EPoD (Ethereum Packet of Death) issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-05T02:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.8.11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/pull/16891"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://peckshield.com/2018/06/27/EPoD/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-12018",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an access violation because of an integer signedness error for the array index, which allows attackers to launch a Denial of Service attack by sending a packet with a -1 query.Skip value. The vulnerable remote node would be crashed by such an attack immediately, aka the EPoD (Ethereum Packet of Death) issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.8.11",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.8.11"
},
{
"name": "https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4"
},
{
"name": "https://github.com/ethereum/go-ethereum/pull/16891",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/pull/16891"
},
{
"name": "https://peckshield.com/2018/06/27/EPoD/",
"refsource": "MISC",
"url": "https://peckshield.com/2018/06/27/EPoD/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-12018",
"datePublished": "2018-07-05T02:00:00",
"dateReserved": "2018-06-07T00:00:00",
"dateUpdated": "2024-08-05T08:24:03.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39137 (GCVE-0-2021-39137)
Vulnerability from cvelistv5
Published
2021-08-24 16:05
Modified
2024-08-04 01:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-436 - Interpretation Conflict
Summary
go-ethereum is the official Go implementation of the Ethereum protocol. In affected versions a consensus-vulnerability in go-ethereum (Geth) could cause a chain split, where vulnerable versions refuse to accept the canonical chain. Further details about the vulnerability will be disclosed at a later date. A patch is included in the upcoming `v1.10.8` release. No workaround are available.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ethereum | go-ethereum |
Version: >= 1.10.0, < 1.10.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:17.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-9856-9gg9-qcmq"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.10.8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-ethereum",
"vendor": "ethereum",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "go-ethereum is the official Go implementation of the Ethereum protocol. In affected versions a consensus-vulnerability in go-ethereum (Geth) could cause a chain split, where vulnerable versions refuse to accept the canonical chain. Further details about the vulnerability will be disclosed at a later date. A patch is included in the upcoming `v1.10.8` release. No workaround are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-24T16:05:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-9856-9gg9-qcmq"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.10.8"
}
],
"source": {
"advisory": "GHSA-9856-9gg9-qcmq",
"discovery": "UNKNOWN"
},
"title": "Consensus flaw during block processing in go-ethereum",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39137",
"STATE": "PUBLIC",
"TITLE": "Consensus flaw during block processing in go-ethereum"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "go-ethereum",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.10.0, \u003c 1.10.8"
}
]
}
}
]
},
"vendor_name": "ethereum"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "go-ethereum is the official Go implementation of the Ethereum protocol. In affected versions a consensus-vulnerability in go-ethereum (Geth) could cause a chain split, where vulnerable versions refuse to accept the canonical chain. Further details about the vulnerability will be disclosed at a later date. A patch is included in the upcoming `v1.10.8` release. No workaround are available."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-436: Interpretation Conflict"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-9856-9gg9-qcmq",
"refsource": "CONFIRM",
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-9856-9gg9-qcmq"
},
{
"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.10.8",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.10.8"
}
]
},
"source": {
"advisory": "GHSA-9856-9gg9-qcmq",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39137",
"datePublished": "2021-08-24T16:05:10",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-08-04T01:58:17.913Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43668 (GCVE-0-2021-43668)
Vulnerability from cvelistv5
Published
2021-11-18 15:05
Modified
2024-08-04 04:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.581Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/issues/23866"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with \"runtime error: invalid memory address or nil pointer dereference\" and arise a SEGV signal."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-18T15:05:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/issues/23866"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43668",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with \"runtime error: invalid memory address or nil pointer dereference\" and arise a SEGV signal."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ethereum/go-ethereum/issues/23866",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/issues/23866"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43668",
"datePublished": "2021-11-18T15:05:20",
"dateReserved": "2021-11-15T00:00:00",
"dateUpdated": "2024-08-04T04:03:08.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29177 (GCVE-0-2022-29177)
Vulnerability from cvelistv5
Published
2022-05-20 16:20
Modified
2025-04-23 18:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17, a vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. Version 1.10.17 contains a patch that addresses the problem. As a workaround, setting loglevel to default level (`INFO`) makes the node not vulnerable to this attack.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ethereum | go-ethereum |
Version: < 1.10.17 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.050Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-wjxw-gh3m-7pm5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/pull/24507"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:07:11.628533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:24:38.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go-ethereum",
"vendor": "ethereum",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17, a vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. Version 1.10.17 contains a patch that addresses the problem. As a workaround, setting loglevel to default level (`INFO`) makes the node not vulnerable to this attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T16:20:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-wjxw-gh3m-7pm5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/pull/24507"
}
],
"source": {
"advisory": "GHSA-wjxw-gh3m-7pm5",
"discovery": "UNKNOWN"
},
"title": "DoS via malicious p2p message in Go-Ethereum",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29177",
"STATE": "PUBLIC",
"TITLE": "DoS via malicious p2p message in Go-Ethereum"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "go-ethereum",
"version": {
"version_data": [
{
"version_value": "\u003c 1.10.17"
}
]
}
}
]
},
"vendor_name": "ethereum"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17, a vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. Version 1.10.17 contains a patch that addresses the problem. As a workaround, setting loglevel to default level (`INFO`) makes the node not vulnerable to this attack."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-wjxw-gh3m-7pm5",
"refsource": "CONFIRM",
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-wjxw-gh3m-7pm5"
},
{
"name": "https://github.com/ethereum/go-ethereum/pull/24507",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/pull/24507"
}
]
},
"source": {
"advisory": "GHSA-wjxw-gh3m-7pm5",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29177",
"datePublished": "2022-05-20T16:20:10.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:24:38.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16733 (GCVE-0-2018-16733)
Vulnerability from cvelistv5
Published
2018-09-08 15:00
Modified
2024-08-05 10:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Go Ethereum (aka geth) before 1.8.14, TraceChain in eth/api_tracer.go does not verify that the end block is after the start block.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:32:54.071Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/commit/106d196ec4a6451efedc60ab15957f231fa85639"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Go Ethereum (aka geth) before 1.8.14, TraceChain in eth/api_tracer.go does not verify that the end block is after the start block."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-08T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/commit/106d196ec4a6451efedc60ab15957f231fa85639"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16733",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Go Ethereum (aka geth) before 1.8.14, TraceChain in eth/api_tracer.go does not verify that the end block is after the start block."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ethereum/go-ethereum/commit/106d196ec4a6451efedc60ab15957f231fa85639",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/commit/106d196ec4a6451efedc60ab15957f231fa85639"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-16733",
"datePublished": "2018-09-08T15:00:00",
"dateReserved": "2018-09-08T00:00:00",
"dateUpdated": "2024-08-05T10:32:54.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26241 (GCVE-0-2020-26241)
Vulnerability from cvelistv5
Published
2020-11-25 01:25
Modified
2024-08-04 15:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-682 - Incorrect Calculation
Summary
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the RETURNDATACOPY opcode. When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y. This is fixed in version 1.9.17.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ethereum | go-ethereum |
Version: >= 1.9.7, < 1.9.17 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:03.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-ethereum",
"vendor": "ethereum",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.9.7, \u003c 1.9.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth\u0027s pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the RETURNDATACOPY opcode. When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y. This is fixed in version 1.9.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-682",
"description": "CWE-682: Incorrect Calculation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-25T01:25:20",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf"
}
],
"source": {
"advisory": "GHSA-69v6-xc2j-r2jf",
"discovery": "UNKNOWN"
},
"title": "Shallow copy bug in geth",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26241",
"STATE": "PUBLIC",
"TITLE": "Shallow copy bug in geth"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "go-ethereum",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.9.7, \u003c 1.9.17"
}
]
}
}
]
},
"vendor_name": "ethereum"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth\u0027s pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the RETURNDATACOPY opcode. When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y. This is fixed in version 1.9.17."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-682: Incorrect Calculation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.ethereum.org/2020/11/12/geth_security_release/",
"refsource": "MISC",
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
},
{
"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf",
"refsource": "CONFIRM",
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf"
}
]
},
"source": {
"advisory": "GHSA-69v6-xc2j-r2jf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26241",
"datePublished": "2020-11-25T01:25:20",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:56:03.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26240 (GCVE-0-2020-26240)
Vulnerability from cvelistv5
Published
2020-11-25 01:25
Modified
2024-08-04 15:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-682 - Incorrect Calculation
Summary
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ethereum | go-ethereum |
Version: < 1.9.24 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.861Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/pull/21793"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-ethereum",
"vendor": "ethereum",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.24"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-682",
"description": "CWE-682: Incorrect Calculation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-25T01:25:27",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/pull/21793"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0"
}
],
"source": {
"advisory": "GHSA-v592-xf75-856p",
"discovery": "UNKNOWN"
},
"title": "Erroneous Proof of Work calculation in geth",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26240",
"STATE": "PUBLIC",
"TITLE": "Erroneous Proof of Work calculation in geth"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "go-ethereum",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.24"
}
]
}
}
]
},
"vendor_name": "ethereum"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-682: Incorrect Calculation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.ethereum.org/2020/11/12/geth_security_release/",
"refsource": "MISC",
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release/"
},
{
"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p",
"refsource": "CONFIRM",
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p"
},
{
"name": "https://github.com/ethereum/go-ethereum/pull/21793",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/pull/21793"
},
{
"name": "https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0"
}
]
},
"source": {
"advisory": "GHSA-v592-xf75-856p",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26240",
"datePublished": "2020-11-25T01:25:27",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41173 (GCVE-0-2021-41173)
Vulnerability from cvelistv5
Published
2021-10-26 14:05
Modified
2024-08-04 02:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known workarounds aside from upgrading.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ethereum | go-ethereum |
Version: < 1.10.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-59hh-656j-3p7v"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/pull/23801"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/commit/e40b37718326b8b4873b3b00a0db2e6c6d9ea738"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.10.9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-ethereum",
"vendor": "ethereum",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T14:05:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-59hh-656j-3p7v"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/pull/23801"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/commit/e40b37718326b8b4873b3b00a0db2e6c6d9ea738"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.10.9"
}
],
"source": {
"advisory": "GHSA-59hh-656j-3p7v",
"discovery": "UNKNOWN"
},
"title": "DoS via maliciously crafted p2p message ",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41173",
"STATE": "PUBLIC",
"TITLE": "DoS via maliciously crafted p2p message "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "go-ethereum",
"version": {
"version_data": [
{
"version_value": "\u003c 1.10.9"
}
]
}
}
]
},
"vendor_name": "ethereum"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known workarounds aside from upgrading."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-59hh-656j-3p7v",
"refsource": "CONFIRM",
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-59hh-656j-3p7v"
},
{
"name": "https://github.com/ethereum/go-ethereum/pull/23801",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/pull/23801"
},
{
"name": "https://github.com/ethereum/go-ethereum/commit/e40b37718326b8b4873b3b00a0db2e6c6d9ea738",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/commit/e40b37718326b8b4873b3b00a0db2e6c6d9ea738"
},
{
"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.10.9",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.10.9"
}
]
},
"source": {
"advisory": "GHSA-59hh-656j-3p7v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41173",
"datePublished": "2021-10-26T14:05:12",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26265 (GCVE-0-2020-26265)
Vulnerability from cvelistv5
Published
2020-12-11 16:45
Modified
2024-08-04 15:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-682 - Incorrect Calculation
Summary
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included in the Paragade release version 1.9.20. No individual workaround patches have been made -- all users are recommended to upgrade to a newer version.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ethereum | go-ethereum |
Version: >= 1.9.4, < 1.9.20 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:03.493Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-xw37-57qp-9mm4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-ethereum",
"vendor": "ethereum",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.9.4, \u003c 1.9.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included in the Paragade release version 1.9.20. No individual workaround patches have been made -- all users are recommended to upgrade to a newer version."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-682",
"description": "CWE-682 Incorrect Calculation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-11T16:45:15",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-xw37-57qp-9mm4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.20"
}
],
"source": {
"advisory": "GHSA-xw37-57qp-9mm4",
"discovery": "UNKNOWN"
},
"title": "Consensus flaw during block processing",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26265",
"STATE": "PUBLIC",
"TITLE": "Consensus flaw during block processing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "go-ethereum",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.9.4, \u003c 1.9.20"
}
]
}
}
]
},
"vendor_name": "ethereum"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included in the Paragade release version 1.9.20. No individual workaround patches have been made -- all users are recommended to upgrade to a newer version."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-682 Incorrect Calculation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-xw37-57qp-9mm4",
"refsource": "CONFIRM",
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-xw37-57qp-9mm4"
},
{
"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.20",
"refsource": "MISC",
"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.20"
}
]
},
"source": {
"advisory": "GHSA-xw37-57qp-9mm4",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26265",
"datePublished": "2020-12-11T16:45:15",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:56:03.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}