CVE-2023-23625
CVSS V2 None
CVSS V3 None
Description
go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.
Overview
- CVE ID
- CVE-2023-23625
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2023-02-09T21:15:11
- Last Modified Date
- 2023-02-17T17:11:24
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:protocol:go-unixfs:*:*:*:*:*:go:*:* | 1 | OR | 0.4.3 |
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175 | Patch |
| https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778 | Vendor Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-23625 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23625 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2023-04-17 07:28:42 | Added to TrackCVE | |||
| 2023-04-17 07:28:45 | Weakness Enumeration | new |