CVE-2022-29177Uncontrolled Resource Consumption in Go-ethereum

CWE-400Uncontrolled Resource Consumption6 documents5 sources
Severity
5.9MEDIUMNVD
EPSS
0.4%
top 37.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Ethereum Go-ethereumGithub.com Ethereum Go-ethereumEthereum GO Ethereum
Timeline
PublishedMay 20
Latest updateAug 21

Description

Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17, a vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. Version 1.10.17 contains a patch that addresses the problem. As a workaround, setting loglevel to default level (`INFO`) makes the node not vulnerable to this attack.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

CVEListV5ethereum/go-ethereum< 1.10.17
NVDethereum/go_ethereum< 1.10.17

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
DoS via malicious p2p message in Go Ethereum in github.com/ethereum/go-ethereum2024-08-21
GHSA
DoS via malicious p2p message in Go Ethereum2022-05-24
OSV
DoS via malicious p2p message in Go Ethereum2022-05-24
CVEList
DoS via malicious p2p message in Go-Ethereum2022-05-20

📄Research Papers

1
arXiv
BlockScope: Detecting and Investigating Propagated Vulnerabilities in Forked Blockchain Projects2023-02-21
CVE-2022-29177 — Uncontrolled Resource Consumption | cvebase