CVE-2023-23626
Summary
| CVE | CVE-2023-23626 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-02-09 21:15:00 UTC |
| Updated | 2023-11-07 04:07:00 UTC |
| Description | go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s. This happen when the `size` is a not a multiple of `8` or is negative. There were already a note in the `NewBitfield` documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that `size` is a multiple of 8 before calling `NewBitfield` or `FromBytes`. |
Risk And Classification
Problem Types: CWE-1284
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Protocol | Go-bitfield | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| refactor: return errors instead of panics · ipfs/go-bitfield@5e1d256 · GitHub | MISC | github.com | |
| DOS when feeding malphormed sizes arguments · Advisory · ipfs/go-bitfield · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.