x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: CVE-2023-40591

[GoVulnBot]

CVE-2023-40591 references github.com/ethereum/go-ethereum, which may be a Go module.

Description:
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version 1.12.1-stable, i.e, 1.12.2-unstable and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-40591
• JSON: https://github.com/CVEProject/cvelist/tree/aa9c815330023d7b3eabda8c60fb9f9c9e8dba31/2023/40xxx/CVE-2023-40591.json
• advisory: GHSA-ppjg-v974-84cm
• web: https://geth.ethereum.org/docs/developers/geth-developer/disclosures
• web: https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1
• Imported by: https://pkg.go.dev/github.com/ethereum/go-ethereum?tab=importedby

Cross references:

• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-m6gx-rhvj-fh52 #392 EFFECTIVELY_PRIVATE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: CVE-2022-29177 #456 EFFECTIVELY_PRIVATE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-5m8f-chrv-7rw5 #555 NOT_IMPORTABLE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-vmf7-hmh6-vv57 #581 EFFECTIVELY_PRIVATE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-vrcc-g6vj-mh5w #582 NOT_A_VULNERABILITY
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-pvx3-gm3c-gmpr #614 EFFECTIVELY_PRIVATE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum/cmd/evm: GHSA-9h4h-8w5p-f28w #814 NOT_IMPORTABLE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum/eth: GHSA-qr2j-wrhx-4829 #871 NOT_IMPORTABLE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-rqmg-hrg4-fm69 #941 EFFECTIVELY_PRIVATE
• Module github.com/ethereum/go-ethereum appears in issue dummy issue #63
• Module github.com/ethereum/go-ethereum appears in issue dummy issue #75
• Module github.com/ethereum/go-ethereum appears in issue dummy issue #105
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: CVE-2021-39137 #254
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: CVE-2021-41173 #256

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/ethereum/go-ethereum
      vulnerable_at: 1.12.2
      packages:
        - package: go-ethereum
description: |-
    go-ethereum (geth) is a golang execution layer implementation of the Ethereum
    protocol. A vulnerable node, can be made to consume unbounded amounts of memory
    when handling specially crafted p2p messages sent from an attacker node. The fix
    is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards.
    Users are advised to upgrade. There are no known workarounds for this
    vulnerability.
cves:
    - CVE-2023-40591
references:
    - advisory: https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm
    - web: https://geth.ethereum.org/docs/developers/geth-developer/disclosures
    - web: https://github.com/ethereum/go-ethereum/releases/tag/v1.12.1

[gopherbot]

Change https://go.dev/cl/528635 mentions this issue: data/reports: add GO-2023-2046.yaml