CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-42319
https://notcve.org/view.php?id=CVE-2023-42319
Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic. Geth (también conocido como go-ethereum) hasta 1.13.4, cuando se usa --http --graphql, permite a atacantes remotos provocar una Denegación de Servicio (consumo de memoria y bloqueo del daemon) a través de una consulta GraphQL manipulada. NOTA: la posición del proveedor es que "el endpoint Graphql [no está] diseñado para resistir ataques de clientes hostiles ni para manejar grandes cantidades de clientes/tráfico. • https://blog.mevsec.com/posts/geth-dos-with-graphql https://geth.ethereum.org/docs/fundamentals/security •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-37450
https://notcve.org/view.php?id=CVE-2022-37450
Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022. Go Ethereum (también se conoce como geth) versiones hasta 1.10.21, permite a atacantes aumentar las recompensas mediante la minería de bloques en determinadas situaciones, y el uso de una manipulación de los valores de diferencia de tiempo para lograr el reemplazo de los bloques de la cadena principal, también se conoce como Riskless Uncle Making (RUM), como es explotado "in the wild" en 2020 hasta 2022 • http://dx.doi.org/10.13140/RG.2.2.27813.99043 https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94 https://medium.com/%40aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef https://news.ycombinator.com/item?id=32354896 •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29177 – DoS via malicious p2p message in Go-Ethereum
https://notcve.org/view.php?id=CVE-2022-29177
Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17, a vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. Version 1.10.17 contains a patch that addresses the problem. As a workaround, setting loglevel to default level (`INFO`) makes the node not vulnerable to this attack. Go Ethereum es la implementación oficial en Golang del protocolo Ethereum. • https://github.com/ethereum/go-ethereum/pull/24507 https://github.com/ethereum/go-ethereum/security/advisories/GHSA-wjxw-gh3m-7pm5 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2022-23327
https://notcve.org/view.php?id=CVE-2022-23327
A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS). Un fallo de diseño en Go-Ethereum versiones 1.10.12 y versiones anteriores, permite a un nodo atacante enviar 5120 transacciones futuras con un precio de gas elevado en un solo mensaje, lo que puede purgar todas las transacciones pendientes en el pool de memoria de un nodo víctima, causando una denegación de servicio (DoS) • http://ethereum.com http://go-ethereum.com https://dl.acm.org/doi/pdf/10.1145/3460120.3485369 https://tristartom.github.io/docs/ccs21.pdf •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41173 – DoS via maliciously crafted p2p message
https://notcve.org/view.php?id=CVE-2021-41173
Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known workarounds aside from upgrading. Go Ethereum es la implementación oficial en Golang del protocolo Ethereum. • https://github.com/ethereum/go-ethereum/commit/e40b37718326b8b4873b3b00a0db2e6c6d9ea738 https://github.com/ethereum/go-ethereum/pull/23801 https://github.com/ethereum/go-ethereum/releases/tag/v1.10.9 https://github.com/ethereum/go-ethereum/security/advisories/GHSA-59hh-656j-3p7v • CWE-20: Improper Input Validation •