x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: CVE-2024-32972

[GoVulnBot]

CVE-2024-32972 references github.com/ethereum/go-ethereum, which may be a Go module.

Description:
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to 1.13.15, a vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix has been included in geth version 1.13.15 and onwards.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-32972
• JSON: https://github.com/CVEProject/cvelist/tree/cb8d7a28d0b1d1ce1a264aeee082830172430f98/2024/32xxx/CVE-2024-32972.json
• advisory: GHSA-4xc9-8hmq-j652
• web: ethereum/go-ethereum@v1.13.14...v1.13.15
• Imported by: https://pkg.go.dev/github.com/ethereum/go-ethereum?tab=importedby

Cross references:

• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-m6gx-rhvj-fh52 #392 EFFECTIVELY_PRIVATE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: CVE-2022-29177 #456 EFFECTIVELY_PRIVATE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-5m8f-chrv-7rw5 #555 NOT_IMPORTABLE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-vmf7-hmh6-vv57 #581 EFFECTIVELY_PRIVATE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-vrcc-g6vj-mh5w #582 NOT_A_VULNERABILITY
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-pvx3-gm3c-gmpr #614 EFFECTIVELY_PRIVATE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum/cmd/evm: GHSA-9h4h-8w5p-f28w #814 NOT_IMPORTABLE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum/eth: GHSA-qr2j-wrhx-4829 #871 NOT_IMPORTABLE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-rqmg-hrg4-fm69 #941 EFFECTIVELY_PRIVATE
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: GHSA-v9jh-j8px-98vq #2127 EFFECTIVELY_PRIVATE
• Module github.com/ethereum/go-ethereum appears in issue dummy issue #63
• Module github.com/ethereum/go-ethereum appears in issue dummy issue #75
• Module github.com/ethereum/go-ethereum appears in issue dummy issue #105
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: CVE-2021-39137 #254
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: CVE-2021-41173 #256
• Module github.com/ethereum/go-ethereum appears in issue x/vulndb: potential Go vuln in github.com/ethereum/go-ethereum: CVE-2023-40591 #2046

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/ethereum/go-ethereum
      vulnerable_at: 1.14.0
      packages:
        - package: go-ethereum
summary: CVE-2024-32972 in github.com/ethereum/go-ethereum
cves:
    - CVE-2024-32972
references:
    - advisory: https://github.com/ethereum/go-ethereum/security/advisories/GHSA-4xc9-8hmq-j652
    - web: https://github.com/ethereum/go-ethereum/compare/v1.13.14...v1.13.15
source:
    id: CVE-2024-32972

[timothy-king]

Duplicate of #2819

[gopherbot]

Change https://go.dev/cl/584157 mentions this issue: data/reports: add GO-2024-2819.yaml