CVE-2023-23631
Summary
| CVE | CVE-2023-23631 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-02-09 21:15:00 UTC |
| Updated | 2023-11-07 04:07:00 UTC |
| Description | github.com/ipfs/go-unixfsnode is an ADL IPLD prime node that wraps go-codec-dagpb's implementation of protobuf to enable pathing. In versions priot to 1.5.2 trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Risk And Classification
Problem Types: CWE-400
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Protocol | Go-unixfsnode | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| DOS HAMT Decoding Panics · Advisory · ipfs/go-unixfsnode · GitHub | MISC | github.com | |
| Add size check on the bitfield before allocation · ipfs/go-unixfsnode@91b3d39 · GitHub | MISC | github.com | |
| update ipfs/go-unixfs and ipfs/go-bitfield · ipfs/go-unixfsnode@a4ed723 · GitHub | MISC | github.com | |
| Merge pull request from GHSA-4gj3-6r43-3wfc · ipfs/go-unixfsnode@59050ea · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.