CVE-2023-40591 - OpenCVE

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ethereum	Go Ethereum

Configuration 1 [-]

cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://geth.ethereum.org/docs/developers/geth-developer/disclosures
https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1
https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-06T18:07:20.899Z

Updated: 2024-08-02T18:38:50.931Z

Reserved: 2023-08-16T18:24:02.393Z

Link: CVE-2023-40591

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-09-06T19:15:44.100

Modified: 2023-09-12T15:24:11.223

Link: CVE-2023-40591

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40591", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-16T18:24:02.393Z", "datePublished": "2023-09-06T18:07:20.899Z", "dateUpdated": "2024-08-02T18:38:50.931Z"}, "containers": {"cna": {"title": "Denial of service via malicious p2p message in go-ethereum", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm"}, {"name": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures", "tags": ["x_refsource_MISC"], "url": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures"}, {"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1"}], "affected": [{"vendor": "ethereum", "product": "go-ethereum", "versions": [{"version": "< 1.12.1-stable", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-06T18:07:20.899Z"}, "descriptions": [{"lang": "en", "value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}], "source": {"advisory": "GHSA-ppjg-v974-84cm", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:38:50.931Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm"}, {"name": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures"}, {"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*", "matchCriteriaId": "0BB58DD3-06EB-4264-A101-4274CF19120E", "versionEndExcluding": "1.12.1", "versionStartIncluding": "1.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}, {"lang": "es", "value": "go-ethereum (geth) es una implementaci\u00f3n de la capa de ejecuci\u00f3n golang del protocolo Ethereum. Se puede hacer que un nodo vulnerable consuma cantidades ilimitadas de memoria cuando se manejan mensajes p2p especialmente manipulados enviados desde un nodo atacante. La correcci\u00f3n se incluye en la versi\u00f3n de geth '1.12.1-stable', es decir, '1.12.2-unstable' y posteriores. Se recomienda a los usuarios que actualicen. No hay workarounds conocidas para esta vulnerabilidad."}], "id": "CVE-2023-40591", "lastModified": "2023-09-12T15:24:11.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-06T19:15:44.100", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}