CVE-2022-23327 - OpenCVE

A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ethereum	Go Ethereum

Configuration 1 [-]

cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://ethereum.com
http://go-ethereum.com
https://dl.acm.org/doi/pdf/10.1145/3460120.3485369
https://tristartom.github.io/docs/ccs21.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-03-04T11:24:13

Updated: 2024-08-03T03:36:20.397Z

Reserved: 2022-01-18T00:00:00

Link: CVE-2022-23327

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-04T12:15:07.880

Modified: 2022-03-17T18:47:51.573

Link: CVE-2022-23327

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-04T11:24:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://ethereum.com"}, {"tags": ["x_refsource_MISC"], "url": "http://go-ethereum.com"}, {"tags": ["x_refsource_MISC"], "url": "https://tristartom.github.io/docs/ccs21.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-23327", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://ethereum.com", "refsource": "MISC", "url": "http://ethereum.com"}, {"name": "http://go-ethereum.com", "refsource": "MISC", "url": "http://go-ethereum.com"}, {"name": "https://tristartom.github.io/docs/ccs21.pdf", "refsource": "MISC", "url": "https://tristartom.github.io/docs/ccs21.pdf"}, {"name": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369", "refsource": "MISC", "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:36:20.397Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://ethereum.com"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://go-ethereum.com"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://tristartom.github.io/docs/ccs21.pdf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-23327", "datePublished": "2022-03-04T11:24:13", "dateReserved": "2022-01-18T00:00:00", "dateUpdated": "2024-08-03T03:36:20.397Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*", "matchCriteriaId": "1E13B619-FD43-44BF-88ED-AEE770DFFF0B", "versionEndIncluding": "1.10.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS)."}, {"lang": "es", "value": "Un fallo de dise\u00f1o en Go-Ethereum versiones 1.10.12 y versiones anteriores, permite a un nodo atacante enviar 5120 transacciones futuras con un precio de gas elevado en un solo mensaje, lo que puede purgar todas las transacciones pendientes en el pool de memoria de un nodo v\u00edctima, causando una denegaci\u00f3n de servicio (DoS)"}], "id": "CVE-2022-23327", "lastModified": "2022-03-17T18:47:51.573", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-04T12:15:07.880", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link", "Not Applicable"], "url": "http://ethereum.com"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://go-ethereum.com"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Technical Description", "Third Party Advisory"], "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Technical Description", "Third Party Advisory"], "url": "https://tristartom.github.io/docs/ccs21.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}