GHSA-p5gc-957x-gfw9

Suggest an improvement
Source
https://github.com/advisories/GHSA-p5gc-957x-gfw9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-p5gc-957x-gfw9/GHSA-p5gc-957x-gfw9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-p5gc-957x-gfw9
Aliases
Published
2022-05-14T03:01:31Z
Modified
2024-05-20T19:55:50Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Go Ethereum LES protocol implementation vulnerable to Denial of Service
Details

The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an access violation because of an integer signedness error for the array index, which allows attackers to launch a Denial of Service attack by sending a packet with a -1 query.Skip value. The vulnerable remote node would be crashed by such an attack immediately, aka the EPoD (Ethereum Packet of Death) issue.

Specific Go Packages Affected

github.com/ethereum/go-ethereum/les

Database specific
{
    "nvd_published_at": "2018-07-05T02:29:00Z",
    "cwe_ids": [
        "CWE-129"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-08T00:28:02Z"
}
References

Affected packages

Go / github.com/ethereum/go-ethereum

Package

Name
github.com/ethereum/go-ethereum
View open source insights on deps.dev
Purl
pkg:golang/github.com/ethereum/go-ethereum

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.11