GO-2021-0075.yaml

id: GO-2021-0075
modules:
    - module: github.com/ethereum/go-ethereum
      versions:
        - fixed: 1.8.11
      vulnerable_at: 1.8.11-0.20180605071142-7a22e89080b2
      packages:
        - package: github.com/ethereum/go-ethereum/les
          symbols:
            - ProtocolManager.handleMsg
          skip_fix: 'TODO: revisit this reason (cannot find module providing package github.com/hashicorp/golang-lru)'
summary: |-
    Panic due to improper validation of RPC messages in
    github.com/ethereum/go-ethereum
description: |-
    Due to improper argument validation in RPC messages, a maliciously crafted
    message can cause a panic, leading to denial of service.
published: 2021-04-14T20:04:52Z
cves:
    - CVE-2018-12018
ghsas:
    - GHSA-p5gc-957x-gfw9
references:
    - fix: https://github.com/ethereum/go-ethereum/pull/16891
    - fix: https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4
review_status: REVIEWED