GHSA-m6gx-rhvj-fh52 – github.com/ethereum/go-ethereum

Package

Manager: go
Name: github.com/ethereum/go-ethereum
Vulnerable Version: >=0 <1.9.24

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Denial of service in go-ethereum due to CVE-2020-28362 ### Impact Versions of Geth built with Go `<1.15.5` or `<1.14.12` are most likely affected by a critical DoS-related security vulnerability. The golang team has registered the underlying flaw as ‘CVE-2020-28362’. We recommend all users to rebuild (ideally `v1.9.24`) with Go `1.15.5` or `1.14.12`, to avoid node crashes. Alternatively, if you are running binaries distributed via one of our official channels, we’re going to release `v1.9.24` ourselves built with Go `1.15.5`. ### Patches This is not an issue in go-ethereum, rebuilding an older version with Go `1.15.5` or `1.14.12` will suffice to address the vulnerability. ### Workarounds Rebuilding with Go `1.15.5` or `1.14.12` will suffice to address the vulnerability. ### References - https://blog.ethereum.org/2020/11/12/geth_security_release/ - https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM ### For more information If you have any questions or comments about this advisory: * Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum) * Email us at [security@ethereum.org](mailto:security@ethereum.org)

Metadata

Created: 2021-06-29T21:13:54Z
Modified: 2025-01-30T14:37:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-m6gx-rhvj-fh52/GHSA-m6gx-rhvj-fh52.json
CWE IDs: []
Alternative ID: N/A
Finding: F067
Auto approve: 1