Lucene search

[email protected]NVD:CVE-2023-23631

HistoryFeb 09, 2023 - 9:15 p.m.

CVE-2023-23631

2023-02-0921:15:11

CWE-400

[email protected]

web.nvd.nist.gov

github

ipfs

unixfsnode

pathing

protobuf

vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.1

Confidence

High

EPSS

0.002

Percentile

54.4%

JSON

github.com/ipfs/go-unixfsnode is an ADL IPLD prime node that wraps go-codec-dagpb’s implementation of protobuf to enable pathing. In versions priot to 1.5.2 trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks.
If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Node

protocolgo-unixfsnodeRange<1.5.2go

VendorProductVersionCPE
protocolgo-unixfsnode*cpe:2.3:a:protocol:go-unixfsnode:*:*:*:*:*:go:*:*

Vendor	Product	Version	CPE
protocol	go-unixfsnode	*	cpe:2.3:a:protocol:go-unixfsnode::::::go::*

References

github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076

github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68

github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122

github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.1

Confidence

High

EPSS

0.002

Percentile

54.4%

JSON

Related for NVD:CVE-2023-23631

github1 prion1 cvelist1 osv3 cve1 veracode1