CVE-2024-32972

2024-05-0615:15:23

CWE-400

[email protected]

web.nvd.nist.gov

go-ethereum

vulnerability

memory consumption

crafted messages

nvd

1.13.15

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to 1.13.15, a vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix has been included in geth version 1.13.15 and onwards.

Affected configurations

Vulners

Node

ethereumgo_ethereumRange<1.13.15

VendorProductVersionCPE
ethereumgo_ethereum*cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ethereum	go_ethereum	*	cpe:2.3:a:ethereum:go_ethereum::::::::

CNA Affected

[
  {
    "vendor": "ethereum",
    "product": "go-ethereum",
    "versions": [
      {
        "version": "< 1.13.15",
        "status": "affected"
      }
    ]
  }
]