A DoS vulnerability can make a LES server crash via malicious GetProofsV2
request from a connected LES client.
The vulnerability was patched in https://github.com/ethereum/go-ethereum/pull/21896.
This vulnerability only concerns users explicitly enabling les
server; disabling les
prevents the exploit.
It can also be patched by manually applying the patch in https://github.com/ethereum/go-ethereum/pull/21896.
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
github.com/ethereum/go-ethereum | lt | 1.9.25 |
github.com/advisories/GHSA-r33q-22hv-j29q
github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46
github.com/ethereum/go-ethereum/pull/21896
github.com/ethereum/go-ethereum/releases/tag/v1.9.25
github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q
nvd.nist.gov/vuln/detail/CVE-2020-26264
pkg.go.dev/vuln/GO-2021-0063