CVE-2022-23328 - OpenCVE

A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ethereum	Go Ethereum

Configuration 1 [-]

cpe:2.3:a:ethereum:go_ethereum:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://ethereum.com
http://go-ethereum.com
https://dl.acm.org/doi/pdf/10.1145/3460120.3485369
https://tristartom.github.io/docs/ccs21.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-03-04T11:24:22

Updated: 2024-08-03T03:36:20.422Z

Reserved: 2022-01-18T00:00:00

Link: CVE-2022-23328

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-04T12:15:07.930

Modified: 2022-03-17T15:39:07.107

Link: CVE-2022-23328

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-04T11:24:22", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://ethereum.com"}, {"tags": ["x_refsource_MISC"], "url": "http://go-ethereum.com"}, {"tags": ["x_refsource_MISC"], "url": "https://tristartom.github.io/docs/ccs21.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-23328", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://ethereum.com", "refsource": "MISC", "url": "http://ethereum.com"}, {"name": "http://go-ethereum.com", "refsource": "MISC", "url": "http://go-ethereum.com"}, {"name": "https://tristartom.github.io/docs/ccs21.pdf", "refsource": "MISC", "url": "https://tristartom.github.io/docs/ccs21.pdf"}, {"name": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369", "refsource": "MISC", "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:36:20.422Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://ethereum.com"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://go-ethereum.com"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://tristartom.github.io/docs/ccs21.pdf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-23328", "datePublished": "2022-03-04T11:24:22", "dateReserved": "2022-01-18T00:00:00", "dateUpdated": "2024-08-03T03:36:20.422Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ethereum:go_ethereum:-:*:*:*:*:*:*:*", "matchCriteriaId": "4ABAEF23-8A63-4075-B552-9EE146AF06E8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS)."}, {"lang": "es", "value": "Un fallo de dise\u00f1o en todas las versiones de Go-Ethereum permite que un nodo atacante env\u00ede 5120 transacciones pendientes de un precio de gas elevado desde una cuenta que gaste todo el saldo de la cuenta a un nodo Geth v\u00edctima, que puede purgar todas las transacciones pendientes en el pool de memoria de un nodo v\u00edctima y luego ocupar el pool de memoria para evitar que entren nuevas transacciones en el pool, resultando en una denegaci\u00f3n de servicio (DoS)"}], "id": "CVE-2022-23328", "lastModified": "2022-03-17T15:39:07.107", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-04T12:15:07.930", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "http://ethereum.com"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "http://go-ethereum.com"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Technical Description", "Third Party Advisory"], "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Technical Description", "Third Party Advisory"], "url": "https://tristartom.github.io/docs/ccs21.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}