CVE-2023-40591

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://geth.ethereum.org/docs/developers/geth-developer/disclosures	Product
https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1	Release Notes
https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*

History

12 Sep 2023, 15:24

Type	Values Removed	Values Added
CPE		cpe:2.3:a:ethereum:go_ethereum::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~(MISC) https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm -~~	(MISC) https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm - Third Party Advisory
References	~~(MISC) https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1 -~~	(MISC) https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1 - Release Notes
References	~~(MISC) https://geth.ethereum.org/docs/developers/geth-developer/disclosures -~~	(MISC) https://geth.ethereum.org/docs/developers/geth-developer/disclosures - Product
First Time		Ethereum go Ethereum Ethereum

06 Sep 2023, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-06 19:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-40591

Mitre link : CVE-2023-40591

CVE.ORG link : CVE-2023-40591

JSON object : View

Products Affected

ethereum

go_ethereum

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2023-40591", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-09-06T19:15:44.100", "references": [{"url": "https://geth.ethereum.org/docs/developers/geth-developer/disclosures", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}, {"lang": "es", "value": "go-ethereum (geth) es una implementaci\u00f3n de la capa de ejecuci\u00f3n golang del protocolo Ethereum. Se puede hacer que un nodo vulnerable consuma cantidades ilimitadas de memoria cuando se manejan mensajes p2p especialmente manipulados enviados desde un nodo atacante. La correcci\u00f3n se incluye en la versi\u00f3n de geth '1.12.1-stable', es decir, '1.12.2-unstable' y posteriores. Se recomienda a los usuarios que actualicen. No hay workarounds conocidas para esta vulnerabilidad."}], "lastModified": "2023-09-12T15:24:11.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0BB58DD3-06EB-4264-A101-4274CF19120E", "versionEndExcluding": "1.12.1", "versionStartIncluding": "1.10.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}