Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/lightningnetwork/lnd: CVE-2024-38359 #2944

Closed
GoVulnBot opened this issue Jun 21, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/lightningnetwork/lnd: CVE-2024-38359 #2944

GoVulnBot opened this issue Jun 21, 2024 · 1 comment
Assignees
@tatianab
Labels
duplicate triaged

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-38359 references a vulnerability in the following Go modules:

Module
github.com/lightningnetwork/lnd

Description:
The Lightning Network Daemon (lnd) - is a complete implementation of a Lightning
Network node. A parsing vulnerability in lnd's onion processing logic and lead
to a DoS vector due to excessive memory allocation. The issue was patched in lnd
v0.17.0. Users should update to a version > v0.17.0 to be protected. Users
unable to upgrade may set the --rejecthtlc CLI flag and also disable
forwarding on channels via the UpdateChanPolicyCommand, or disable listening
on a public network interface via the --nolisten flag as a mitigation.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/lightningnetwork/lnd
      vulnerable_at: 0.18.0-beta.rc4
      packages:
        - package: lnd
summary: CVE-2024-38359 in github.com/lightningnetwork/lnd
cves:
    - CVE-2024-38359
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-38359
    - web: https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979
    - web: https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta
    - web: https://github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7
    - web: https://lightning.network
    - web: https://morehouse.github.io/lightning/lnd-onion-bomb
source:
    id: CVE-2024-38359
    created: 2024-06-21T00:01:15.050987117Z
review_status: UNREVIEWED
@tatianab tatianab self-assigned this Jun 25, 2024
@tatianab
Copy link
Contributor

Duplicate of #2943

@tatianab tatianab marked this as a duplicate of #2943 Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
duplicate triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @GoVulnBot