Lucene search

[email protected]CVE-2023-42319

HistoryOct 18, 2023 - 6:15 a.m.

CVE-2023-42319

2023-10-1806:15:07

[email protected]

web.nvd.nist.gov

cve-2023-42319

geth

go-ethereum

denial of service

memory consumption

daemon hang

graphql

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.2%

JSON

Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor’s position is that the "graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic.

Affected configurations

NVD

Node

ethereumgo_ethereumRange≤1.13.4

CPENameOperatorVersion
ethereum:go_ethereumethereum go ethereumle1.13.4

CPE	Name	Operator	Version
ethereum:go_ethereum	ethereum go ethereum	le	1.13.4

References

blog.mevsec.com/posts/geth-dos-with-graphql/

geth.ethereum.org/docs/fundamentals/security

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.2%

JSON

Related for CVE-2023-42319

osv2 nvd1 prion1 veracode1 cvelist1 github1