CVE-2023-42319
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic.
Geth (también conocido como go-ethereum) hasta 1.13.4, cuando se usa --http --graphql, permite a atacantes remotos provocar una Denegación de Servicio (consumo de memoria y bloqueo del daemon) a través de una consulta GraphQL manipulada. NOTA: la posición del proveedor es que "el endpoint Graphql [no está] diseñado para resistir ataques de clientes hostiles ni para manejar grandes cantidades de clientes/tráfico.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-09-08 CVE Reserved
- 2023-10-18 CVE Published
- 2024-09-13 CVE Updated
- 2024-09-13 First Exploit
- 2024-11-19 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://blog.mevsec.com/posts/geth-dos-with-graphql | 2024-09-13 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://geth.ethereum.org/docs/fundamentals/security | 2023-10-25 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Ethereum Search vendor "Ethereum" | Go Ethereum Search vendor "Ethereum" for product "Go Ethereum" | <= 1.13.4 Search vendor "Ethereum" for product "Go Ethereum" and version " <= 1.13.4" | - |
Affected
| ||||||