CVE-2023-6245

2023-12-0815:15:08

CWE-1288

CWE-835

CWE-168

CWE-20

Dfinity

web.nvd.nist.gov

cve-2023-6245

candid library

denial of service

dos

rust

decoding loop

canister

vulnerability

nvd

information security

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

31.9%

JSON

The Candid library causes a Denial of Service while
parsing a specially crafted payload with ‘empty’ data type. For example,
if the payload is record { * ; empty } and the canister interface expects record { * } then the Rust candid decoder treats empty as an extra field required by the type. The problem with the type empty is that the candid Rust library wrongly categorizes empty as a recoverable error when skipping the field and thus causing an infinite decoding loop.

Canisters using affected versions of candid
are exposed to denial of service by causing the decoding to run
indefinitely until the canister traps due to reaching maximum
instruction limit per execution round. Repeated exposure to the payload
will result in degraded performance of the canister. Note: Canisters written in Motoko are unaffected.

Affected configurations

Nvd

Node

dfinitycandidRange0.9.0–0.9.10rust

VendorProductVersionCPE
dfinitycandid*cpe:2.3:a:dfinity:candid:*:*:*:*:*:rust:*:*

Vendor	Product	Version	CPE
dfinity	candid	*	cpe:2.3:a:dfinity:candid::::::rust::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Candid",
    "repo": "https://github.com/dfinity/candid",
    "vendor": "Internet Computer",
    "versions": [
      {
        "lessThan": "0.9.10",
        "status": "affected",
        "version": "0.9.0",
        "versionType": "0.0.0"
      }
    ]
  }
]