CVE-2020-26264Uncontrolled Resource Consumption in Go-ethereum

CWE-400Uncontrolled Resource Consumption6 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.5%
top 34.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Ethereum Go-ethereumGithub.com Ethereum Go-ethereumEthereum GO Ethereum
Timeline
PublishedDec 11
Latest updateFeb 21

Description

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5ethereum/go-ethereum< 1.9.25
NVDethereum/go_ethereum< 1.9.25

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Denial of service in github.com/ethereum/go-ethereum2021-06-29
OSV
Denial of service in github.com/ethereum/go-ethereum2021-06-29
OSV
Nil pointer dereference via malicious RPC message in github.com/ethereum/go-ethereum2021-04-14
CVEList
LES Server DoS via GetProofsV22020-12-11

📄Research Papers

1
arXiv
BlockScope: Detecting and Investigating Propagated Vulnerabilities in Forked Blockchain Projects2023-02-21
CVE-2020-26264 — Uncontrolled Resource Consumption | cvebase