LES Server DoS via GetProofsV2
CVE-2020-26264

6.5MEDIUM

Key Information:

Vendor

Ethereum

Status
Go-ethereum
Vendor
CVE Published:
11 December 2020

What is CVE-2020-26264?

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25.

Affected Version(s)

go-ethereum < 1.9.25

References

https://github.com/ethereum/go-ethereum/security/advisori...
x_refsource_CONFIRM
https://github.com/ethereum/go-ethereum/pull/21896
x_refsource_MISC
https://github.com/ethereum/go-ethereum/commit/bddd103a9f...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2020-26264 : LES Server DoS via GetProofsV2