CVE-2022-37450

low-risk
Published 2022-08-05

Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.

Do I need to act?

-
0.54% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Affected Vendors

Ethereum

References (8)

Broken Link http://dx.doi.org/10.13140/RG.2.2.27813.99043
Exploit https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b4...
https://medium.com/%40aviv.yaish/uncle-maker-time-stamping-out-the-competition-i...
Third Party Advisory https://news.ycombinator.com/item?id=32354896
Broken Link http://dx.doi.org/10.13140/RG.2.2.27813.99043
Exploit https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b4...
https://medium.com/%40aviv.yaish/uncle-maker-time-stamping-out-the-competition-i...
Third Party Advisory https://news.ycombinator.com/item?id=32354896
25
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal