GHSA-p4g4-wgrh-qrg2

Suggest an improvement
Source
https://github.com/advisories/GHSA-p4g4-wgrh-qrg2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-p4g4-wgrh-qrg2/GHSA-p4g4-wgrh-qrg2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-p4g4-wgrh-qrg2
Aliases
Related
Published
2023-02-07T22:59:30Z
Modified
2023-12-06T01:00:15.424450Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Panic due to malformed WALs in go.etcd.io/etcd
Details

Vulnerability type

Data Validation

Detail

The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.

Specific Go Packages Affected

github.com/etcd-io/etcd/wal

References

Find out more on this vulnerability in the security audit report

For more information

If you have any questions or comments about this advisory: * Contact the etcd security committee

Database specific
{
    "nvd_published_at": "2020-08-05T19:15:00Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-07T22:59:30Z"
}
References

Affected packages

Go / go.etcd.io/etcd

Package

Name
go.etcd.io/etcd
View open source insights on deps.dev
Purl
pkg:golang/go.etcd.io/etcd

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.5.0-alpha.5.0.20200423152442-f4b650b51dc4