CVE-2023-22460 – github.com/ipld/go-ipld-prime

Package

Manager: go
Name: github.com/ipld/go-ipld-prime
Vulnerable Version: >=0 <0.19.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00077 pctl0.23822

Details

go-ipld-prime/codec/json may panic if asked to encode bytes `go-ipld-prime` is a series of Go interfaces for manipulating IPLD data and a Go module that contains the `go-ipld-prime/codec/json` codec. ### Impact Encoding data which contains a `Bytes` kind Node will pass a `Bytes` token to the JSON encoder which will panic as it doesn't expect to receive `Bytes` tokens. Such an encoding should be treated as an error, as plain JSON should not be able to encode Bytes. **This only impacts uses of the "json" codec, "dag-json" is not impacted.** Use of "json" as a decoder is not impacted. ### Patches Fixed in v0.19.0. ### Workarounds Prefer the "dag-json" codec which has the ability to [encode bytes](https://ipld.io/specs/codecs/dag-json/spec/#bytes). ### References See fix in [#472](https://github.com/ipld/go-ipld-prime/pull/472)

Metadata

Created: 2023-01-05T12:04:09Z
Modified: 2023-01-05T12:04:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-c653-6hhg-9x92/GHSA-c653-6hhg-9x92.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-c653-6hhg-9x92
Finding: F184
Auto approve: 1