CVE-2023-23631 – github.com/ipfs/go-unixfsnode

Package

Manager: go
Name: github.com/ipfs/go-unixfsnode
Vulnerable Version: >=0 <1.5.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00283 pctl0.51252

Details

IPFS go-unixfsnode subject to DOS via HAMT Decoding Panics ## Impact Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by a bogus fanout parameter in the HAMT directory nodes. This includes checks returned in [ipfs/go-bitfield GHSA-2h6c-j3gf-xp9r](https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r), as well as limiting the fanout to <= 1024 (to avoid attempts of arbitrary sized allocations). ## Patches - https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68 - https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122 ## References * https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778 * https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r

Metadata

Created: 2023-02-10T19:54:14Z
Modified: 2023-02-17T20:32:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-4gj3-6r43-3wfc/GHSA-4gj3-6r43-3wfc.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-4gj3-6r43-3wfc
Finding: F067
Auto approve: 1