Denial of service in CPP-Ethereum

#VU9963 Denial of service in CPP-Ethereum

Published: 2018-01-12

Vulnerability identifier: #VU9963

Vulnerability risk: Low

CVSSv3.1: 6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:U/RC:C]

CVE-ID: CVE-2017-12119

CWE-ID: CWE-248

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CPP-Ethereum
Universal components / Libraries / Software for developers

Vendor: Ethereum

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in multiple APIs of CPP-Ethereum's JSON-RPC due to an insufficient validation of user-supplied input. A remote attacker can make a specially crafted JSON request, trigger a unhandled exception and cause the application to crash.

Mitigation
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.

Vulnerable software versions

CPP-Ethereum: All versions

External links
http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0471

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in CPP and Parity Ethereum