CVE-2020-26264 - OpenCVE

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ethereum	Go Ethereum

Configuration 1 [-]

cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46
https://github.com/ethereum/go-ethereum/pull/21896
https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25
https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-12-11T16:45:24

Updated: 2024-08-04T15:56:04.248Z

Reserved: 2020-10-01T00:00:00

Link: CVE-2020-26264

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-12-11T17:15:12.793

Modified: 2020-12-14T18:06:07.520

Link: CVE-2020-26264

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "go-ethereum", "vendor": "ethereum", "versions": [{"status": "affected", "version": "< 1.9.25"}]}], "descriptions": [{"lang": "en", "value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-11T16:45:24", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ethereum/go-ethereum/pull/21896"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25"}], "source": {"advisory": "GHSA-r33q-22hv-j29q", "discovery": "UNKNOWN"}, "title": "LES Server DoS via GetProofsV2", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26264", "STATE": "PUBLIC", "TITLE": "LES Server DoS via GetProofsV2"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "go-ethereum", "version": {"version_data": [{"version_value": "< 1.9.25"}]}}]}, "vendor_name": "ethereum"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q", "refsource": "CONFIRM", "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q"}, {"name": "https://github.com/ethereum/go-ethereum/pull/21896", "refsource": "MISC", "url": "https://github.com/ethereum/go-ethereum/pull/21896"}, {"name": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46", "refsource": "MISC", "url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"}, {"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25", "refsource": "MISC", "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25"}]}, "source": {"advisory": "GHSA-r33q-22hv-j29q", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:56:04.248Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ethereum/go-ethereum/pull/21896"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26264", "datePublished": "2020-12-11T16:45:24", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:04.248Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AC7FBD4-34A5-414C-BBBA-2512124CFBF0", "versionEndExcluding": "1.9.25", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25."}, {"lang": "es", "value": "Go Ethereum, o \"Geth\", es la implementaci\u00f3n oficial de Golang del protocolo Ethereum. En Geth versiones anteriores a 1.9.25, una vulnerabilidad de Denegaci\u00f3n de Servicio puede hacer a un servidor LES bloquearse por medio de una petici\u00f3n GetProofsV2 maliciosa de un cliente LES conectado. Esta vulnerabilidad solo afecta a usuarios que habilitan expl\u00edcitamente el servidor de archivos; deshabilitar archivos evita la explotaci\u00f3n. La vulnerabilidad fue parcheada en versi\u00f3n 1.9.25"}], "id": "CVE-2020-26264", "lastModified": "2020-12-14T18:06:07.520", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-12-11T17:15:12.793", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ethereum/go-ethereum/pull/21896"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}