CVE-2023-23631

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-23631

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23631.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-23631

Aliases

Related

GHSA-4gj3-6r43-3wfc

Published

2023-02-09T21:15:11Z

Modified

2025-01-15T04:43:11.045967Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

github.com/ipfs/go-unixfsnode is an ADL IPLD prime node that wraps go-codec-dagpb's implementation of protobuf to enable pathing. In versions priot to 1.5.2 trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/ipfs/go-unixfsnode

Affected ranges

Type: GIT
Repo: https://github.com/ipfs/go-unixfsnode
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

59050ea8bc458ae55246ae09243e6e165923e076

Fixed

59050ea8bc458ae55246ae09243e6e165923e076

Fixed

91b3d39d33ef0cd2aff2c95d50b2329350944b68

Fixed

91b3d39d33ef0cd2aff2c95d50b2329350944b68

Fixed

a4ed723727e0bdc2277158337c2fc0d82802d122

Fixed

a4ed723727e0bdc2277158337c2fc0d82802d122

Affected versions

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.2.0

v1.3.0

v1.4.0

v1.5.0

v1.5.1