CVE-2024-38359

EPSS 0.18%
Veröffentlicht 20.06.2024 23:15:52
Zuletzt bearbeitet 21.11.2024 09:25:26
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

The Lightning Network Daemon (lnd) - is a complete implementation of a Lightning Network node. A parsing vulnerability in lnd's onion processing logic and lead to a DoS vector due to excessive memory allocation.  The issue was patched in lnd v0.17.0. Users should update to a version > v0.17.0 to be protected. Users unable to upgrade may set the `--rejecthtlc` CLI flag and also disable forwarding on channels via the `UpdateChanPolicyCommand`, or disable listening on a public network interface via the `--nolisten` flag as a mitigation.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerlightning_network_daemon_project

≫

Produkt lightning_network_daemon

Default Statusunknown

Version < 0.17.0

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.397

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979

https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta

https://github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7

https://lightning.network

https://morehouse.github.io/lightning/lnd-onion-bomb

https://nvd.nist.gov/vuln/detail/CVE-2024-38359

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-38359

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-38359

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-38359