CVE-2022-23327 - OpenCVE

A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS).

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Ethereum	Go Ethereum

Configuration 1 [-]

cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*

References

Link	Resource
http://ethereum.com	Broken Link Not Applicable
http://go-ethereum.com	Broken Link
https://dl.acm.org/doi/pdf/10.1145/3460120.3485369	Exploit Mitigation Technical Description Third Party Advisory
https://tristartom.github.io/docs/ccs21.pdf	Exploit Mitigation Technical Description Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-03-04T11:24:13

Updated: 2022-03-04T11:24:13

Reserved: 2022-01-18T00:00:00

Link: CVE-2022-23327

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-04T12:15:07.880

Modified: 2022-03-17T18:47:51.573

Link: CVE-2022-23327

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-04T11:24:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://ethereum.com"}, {"tags": ["x_refsource_MISC"], "url": "http://go-ethereum.com"}, {"tags": ["x_refsource_MISC"], "url": "https://tristartom.github.io/docs/ccs21.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-23327", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://ethereum.com", "refsource": "MISC", "url": "http://ethereum.com"}, {"name": "http://go-ethereum.com", "refsource": "MISC", "url": "http://go-ethereum.com"}, {"name": "https://tristartom.github.io/docs/ccs21.pdf", "refsource": "MISC", "url": "https://tristartom.github.io/docs/ccs21.pdf"}, {"name": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369", "refsource": "MISC", "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-23327", "datePublished": "2022-03-04T11:24:13", "dateReserved": "2022-01-18T00:00:00", "dateUpdated": "2022-03-04T11:24:13", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*", "matchCriteriaId": "1E13B619-FD43-44BF-88ED-AEE770DFFF0B", "versionEndIncluding": "1.10.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS)."}, {"lang": "es", "value": "Un fallo de dise\u00f1o en Go-Ethereum versiones 1.10.12 y versiones anteriores, permite a un nodo atacante enviar 5120 transacciones futuras con un precio de gas elevado en un solo mensaje, lo que puede purgar todas las transacciones pendientes en el pool de memoria de un nodo v\u00edctima, causando una denegaci\u00f3n de servicio (DoS)"}], "id": "CVE-2022-23327", "lastModified": "2022-03-17T18:47:51.573", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-04T12:15:07.880", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link", "Not Applicable"], "url": "http://ethereum.com"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://go-ethereum.com"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Technical Description", "Third Party Advisory"], "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Technical Description", "Third Party Advisory"], "url": "https://tristartom.github.io/docs/ccs21.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}