CVE-2023-40591 - OpenCVE

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Ethereum	Go Ethereum

Configuration 1 [-]

cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*

References

Link	Resource
https://geth.ethereum.org/docs/developers/geth-developer/disclosures	Product
https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1	Release Notes
https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-06T18:07:20.899Z

Updated: 2023-09-06T18:07:20.899Z

Reserved: 2023-08-16T18:24:02.393Z

Link: CVE-2023-40591

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-09-06T19:15:44.100

Modified: 2023-09-12T15:24:11.223

Link: CVE-2023-40591

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-40591", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-16T18:24:02.393Z", "datePublished": "2023-09-06T18:07:20.899Z", "dateUpdated": "2023-09-06T18:07:20.899Z"}, "containers": {"cna": {"title": "Denial of service via malicious p2p message in go-ethereum", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm"}, {"name": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures", "tags": ["x_refsource_MISC"], "url": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures"}, {"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1"}], "affected": [{"vendor": "ethereum", "product": "go-ethereum", "versions": [{"version": "< 1.12.1-stable", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-06T18:07:20.899Z"}, "descriptions": [{"lang": "en", "value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}], "source": {"advisory": "GHSA-ppjg-v974-84cm", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*", "matchCriteriaId": "0BB58DD3-06EB-4264-A101-4274CF19120E", "versionEndExcluding": "1.12.1", "versionStartIncluding": "1.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}, {"lang": "es", "value": "go-ethereum (geth) es una implementaci\u00f3n de la capa de ejecuci\u00f3n golang del protocolo Ethereum. Se puede hacer que un nodo vulnerable consuma cantidades ilimitadas de memoria cuando se manejan mensajes p2p especialmente manipulados enviados desde un nodo atacante. La correcci\u00f3n se incluye en la versi\u00f3n de geth '1.12.1-stable', es decir, '1.12.2-unstable' y posteriores. Se recomienda a los usuarios que actualicen. No hay workarounds conocidas para esta vulnerabilidad."}], "id": "CVE-2023-40591", "lastModified": "2023-09-12T15:24:11.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-06T19:15:44.100", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}