CVE-2021-41173 — Improper Input Validation in Go-ethereum

CWE-20 — Improper Input Validation6 documents5 sources

Severity

5.7MEDIUMNVD

EPSS

0.2%

top 61.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

3

Ethereum Go-ethereum Github.com Ethereum Go-ethereum Ethereum GO Ethereum

Timeline

PublishedOct 26

Latest updateFeb 21

Description

Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known workarounds aside from upgrading.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:HExploitability: 2.1 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5ethereum/go-ethereum< 1.10.9

▶NVDethereum/go_ethereum< 1.10.9

▶Gogithub.com/ethereum_go-ethereum< 1.10.9

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

4

OSV

Panic via maliciously crafted message in github.com/ethereum/go-ethereum↗2022-07-15

▶

CVEList

DoS via maliciously crafted p2p message↗2021-10-26

▶

GHSA

Geth Node Vulnerable to DoS via maliciously crafted p2p message↗2021-10-25

▶

OSV

Geth Node Vulnerable to DoS via maliciously crafted p2p message↗2021-10-25

▶

📄Research Papers

1

arXiv

BlockScope: Detecting and Investigating Propagated Vulnerabilities in Forked Blockchain Projects↗2023-02-21

▶

CVE-2021-41173 — Improper Input Validation | cvebase