CVE-2020-5303

{"id": "CVE-2020-5303", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2020-04-10T19:15:13.290", "references": [{"url": "https://github.com/tendermint/tendermint/commit/e2d6859afd7dba4cf97c7f7d412e7d8fc908d1cd", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tendermint/tendermint/security/advisories/GHSA-v24h-pjjv-mcp6", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/820317", "tags": ["Permissions Required", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tendermint/tendermint/commit/e2d6859afd7dba4cf97c7f7d412e7d8fc908d1cd", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/tendermint/tendermint/security/advisories/GHSA-v24h-pjjv-mcp6", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hackerone.com/reports/820317", "tags": ["Permissions Required", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-789"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "Tendermint before versions 0.33.3, 0.32.10, and 0.31.12 has a denial-of-service vulnerability. Tendermint does not limit the number of P2P connection requests. For each p2p connection, it allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions. Additionally, Tendermint does not reclaim activeID of a peer after it's removed in Mempool reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the Peer is created and added to all reactors. RemovePeer is therefore called before AddPeer, which leads to always growing memory (activeIDs map). The activeIDs map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting above denial of service), which ultimately will lead to the node panicking. These issues are patched in Tendermint 0.33.3 and 0.32.10."}, {"lang": "es", "value": "Tendermint versiones anteriores a 0.33.3, 0.32.10 y 0.31.12, presenta una vulnerabilidad de denegaci\u00f3n de servicio. Tendermint no limita el n\u00famero de peticiones de conexi\u00f3n P2P. Para cada conexi\u00f3n p2p, asigna XXX bytes. Aun cuando esta memoria es de tipo garbage collected una vez que se termina la conexi\u00f3n (debido a IP duplicada o que alcanza un n\u00famero m\u00e1ximo de peers entrantes), los picos de memoria temporales pueden conllevar a excepciones OOM (Fuera de la Memoria). Adicionalmente, Tendermint no recupera el \"activeID\" de un peer despu\u00e9s de que es eliminado en el reactor Mempool. Esto no sucede todo el tiempo. Solo se presenta cuando se produce un fallo de conexi\u00f3n (por cualquier motivo) antes de que el Peer sea creado y agregado a todos los reactores. RemovePeer, por lo tanto, es llamado antes \"AddPeer\", lo que conlleva a una memoria creciente siempre (mapa \"activeIDs\"). El mapa activeIDs presenta un tama\u00f1o m\u00e1ximo de 65535 y el nodo entrar\u00e1 en p\u00e1nico si este mapa alcanza el m\u00e1ximo. Un atacante puede crear muchos intentos de conexi\u00f3n (explotar por encima de la denegaci\u00f3n de servicio), lo que finalmente conllevar\u00e1 al p\u00e1nico del nodo. Estos problemas est\u00e1n parcheados en Tendermint versiones 0.33.3 y 0.32.10"}], "lastModified": "2024-11-21T05:33:52.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tendermint:tendermint:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D919600-9671-435B-B13B-F3CCF335F789", "versionEndExcluding": "0.31.12"}, {"criteria": "cpe:2.3:a:tendermint:tendermint:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FE745543-7E8B-412B-B0ED-2496B163B7B4", "versionEndExcluding": "0.32.10", "versionStartIncluding": "0.32.0"}, {"criteria": "cpe:2.3:a:tendermint:tendermint:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "326E6655-BC1A-4C1C-B08C-5F5FA1B2ACB9", "versionEndExcluding": "0.33.3", "versionStartIncluding": "0.33.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}