CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS
Percentile
53.3%
This package has been moved to github.com/ipfs/boxo/bitswap
, this vulnerability is tracked there: https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5 (CVE-2023-25568
)
This is a two step process:
github.com/ipfs/go-bitswap
to github.com/ipfs/boxo/bitswap
.github.com/ipfs/go-bitswap
and cannot upgrade to boxo
, you can upgrade to github.com/ipfs/[email protected]
, this will replace the go-bitswap
implementation by stubs which points to boxo
.boxo
’s remediation section.>= v0.9.0; < v0.12.0
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).MessageReceived
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).NotifyNewBlocks
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).findOrCreate
github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).PeerConnected
v0.8.0
github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceived
github.com/ipfs/go-bitswap/internal/decision.(*Engine).NotifyNewBlocks
github.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreate
github.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
< v0.8.0
github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceived
github.com/ipfs/go-bitswap/internal/decision.(*Engine).receiveBlocksFrom
github.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreate
github.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
If you are using the stubs at github.com/ipfs/go-bitswap
and not taking advantage of the features provided by the server, refactoring your code to use the new split API will allows you to run in a client-only mode using: github.com/ipfs/go-bitswap/client
.
Vendor | Product | Version | CPE |
---|---|---|---|
ipfs | go-ipfs-dep | * | cpe:2.3:a:ipfs:go-ipfs-dep:*:*:*:*:*:node.js:*:* |
github.com/advisories/GHSA-q3j6-22wf-3jh9
github.com/ipfs/boxo/commit/62cbac40b96f49e39cd7fedc77ee6b56adce4916
github.com/ipfs/boxo/commit/9cb5cb54d40b57084d1221ba83b9e6bb3fcc3197
github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5
github.com/ipfs/go-bitswap/security/advisories/GHSA-q3j6-22wf-3jh9
github.com/ipfs/go-libipfs/security/advisories/GHSA-m974-xj4j-7qv5
nvd.nist.gov/vuln/detail/CVE-2023-25568