---

CVE-2020-26264 - log back

CVE-2020-26264 edited at 11 Dec 2020 18:28:32

Description

- Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling LES server; disabling LES prevents the exploit. The vulnerability was patched in version 1.9.25. + In go-ethereum before version 1.9.25, a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling the LES server; disabling LES prevents the exploit. The vulnerability was patched in version 1.9.25.

CVE-2020-26264 edited at 11 Dec 2020 18:03:37
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Denial of service
Description	+ Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling LES server; disabling LES prevents the exploit. The vulnerability was patched in version 1.9.25.
References	+ https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q + https://github.com/ethereum/go-ethereum/pull/21896 + https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46
Notes	+ Workaround + ========== + + This issue can be mitigated by disabling the LES server.

CVE-2020-26264 created at 11 Dec 2020 17:58:56