GHSA-c653-6hhg-9x92
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c653-6hhg-9x92
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-c653-6hhg-9x92/GHSA-c653-6hhg-9x92.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c653-6hhg-9x92
- Aliases
- Related
- Published
- 2023-01-05T12:04:09Z
- Modified
- 2023-11-08T04:11:35.552164Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- go-ipld-prime/codec/json may panic if asked to encode bytes
- Details
-
go-ipld-primeis a series of Go interfaces for manipulating IPLD data and a Go module that contains thego-ipld-prime/codec/jsoncodec.Impact
Encoding data which contains a
Byteskind Node will pass aBytestoken to the JSON encoder which will panic as it doesn't expect to receiveBytestokens. Such an encoding should be treated as an error, as plain JSON should not be able to encode Bytes.This only impacts uses of the "json" codec, "dag-json" is not impacted. Use of "json" as a decoder is not impacted.
Patches
Fixed in v0.19.0.
Workarounds
Prefer the "dag-json" codec which has the ability to encode bytes.
References
See fix in #472
- Database specific
{ "nvd_published_at": "2023-01-04T15:15:00Z", "cwe_ids": [ "CWE-20" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-01-05T12:04:09Z" }- References
-
- https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92
- https://nvd.nist.gov/vuln/detail/CVE-2023-22460
- https://github.com/ipld/go-ipld-prime/pull/472
- https://github.com/ipld/go-ipld-prime/commit/146d1c8529676fe9ee0604f014656af2395505fc
- https://github.com/ipld/go-ipld-prime
- https://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0
- https://pkg.go.dev/vuln/GO-2023-1269
Affected packages
Go / github.com/ipld/go-ipld-prime
Package
- Name
- github.com/ipld/go-ipld-prime
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/ipld/go-ipld-prime