CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26241 – Shallow copy bug in geth
https://notcve.org/view.php?id=CVE-2020-26241
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the RETURNDATACOPY opcode. When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y. • https://blog.ethereum.org/2020/11/12/geth_security_release https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf • CWE-682: Incorrect Calculation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26242 – Denial of service in geth
https://notcve.org/view.php?id=CVE-2020-26242
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18. Go Ethereum, o "Geth", es la implementación oficial de Golang del protocolo Ethereum. En Geth versiones anteriores a 1.9.18, se presenta una Denegación de servicio (bloqueo) durante el procesamiento de bloques. • https://blog.ethereum.org/2020/11/12/geth_security_release https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20421
https://notcve.org/view.php?id=CVE-2018-20421
Go Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of service (memory consumption) by rewriting the length of a dynamic array in memory, and then writing data to a single memory location with a large index number, as demonstrated by use of "assembly { mstore }" followed by a "c[0xC800000] = 0xFF" assignment. Go Ethereum (también conocido como geth) 1.8.19 permite que los atacantes provoquen una denegación de servicio (consumo de memoria) mediante la reescritura de la longitud de un array dinámico en la memoria y, a continuación, la escritura de datos a una única ubicación de memoria con un número de índice largo. Esto queda demostrado por el uso de "assembly { mstore }", seguido por una asignación "c[0xC800000] = 0xFF". • https://github.com/ethereum/go-ethereum/issues/18289 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19184
https://notcve.org/view.php?id=CVE-2018-19184
cmd/evm/runner.go in Go Ethereum (aka geth) 1.8.17 allows attackers to cause a denial of service (SEGV) via crafted bytecode. cmd/evm/runner.go en Go Ethereum (alias geth) 1.8.17 permite a los atacantes provocar una denegación de servicio (SEGV) mediante un código de bytes manipulado. • https://github.com/ethereum/go-ethereum/issues/18069 • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16733
https://notcve.org/view.php?id=CVE-2018-16733
In Go Ethereum (aka geth) before 1.8.14, TraceChain in eth/api_tracer.go does not verify that the end block is after the start block. En Go Ethereum (también conocido como geth) en versiones anteriores a la 1.8.14, TraceChain en eth/api_tracer.go no verifica que el bloque final esté tras el bloque de inicio. • https://github.com/ethereum/go-ethereum/commit/106d196ec4a6451efedc60ab15957f231fa85639 • CWE-20: Improper Input Validation •