[GHSA-mq3p-rrmp-79jg] go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message#7103
Conversation
|
Hi there @fjl! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
There was a problem hiding this comment.
Pull request overview
This PR updates the recorded severity metadata for GHSA-mq3p-rrmp-79jg (go-ethereum malicious p2p message causing high CPU usage/DoS) by revising the CVSS v4 vector and raising the advisory severity classification.
Changes:
- Updated
modifiedtimestamp. - Updated CVSS v4 vector string.
- Changed
database_specific.severityfromHIGHtoCRITICAL.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N" |
There was a problem hiding this comment.
The CVSS v4 vector sets confidentiality/integrity impacts (VC/VI) and subsequent system impacts (SC/SI) to High, but this advisory’s summary/details describe a CPU-exhaustion DoS. Unless there’s evidence of data compromise or downstream system impact, the vector should reflect availability-only impact (e.g., VC:N/VI:N with VA:H and typically SC/SI:N). Please re-check the CVSS v4 scoring source (GitHub/NVD) and update the vector accordingly.
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N" | |
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" |
| "CWE-400" | ||
| ], | ||
| "severity": "HIGH", | ||
| "severity": "CRITICAL", |
There was a problem hiding this comment.
database_specific.severity was bumped to CRITICAL, but the described impact is a DoS via high CPU usage. In this repo, similar availability-only CVSS v4 vectors are typically categorized as HIGH (for example, GHSA-8r9q-7v3j-jr4g uses an availability-only CVSS v4 vector and severity: HIGH). After correcting/confirming the CVSS vector, please ensure this severity value matches the assessed impact.
| "severity": "CRITICAL", | |
| "severity": "HIGH", |
github-actions
bot
changed the base branch from
main
to
timothyfraser1955-del/advisory-improvement-7103
|
Thank you for your interest in improving this advisory. Could you explain why these changes need to be made? |
Updates
Comments
Vunerbilities