GHSA-q3j6-22wf-3jh9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q3j6-22wf-3jh9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-q3j6-22wf-3jh9/GHSA-q3j6-22wf-3jh9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q3j6-22wf-3jh9
- Aliases
- Published
- 2023-05-11T20:39:55Z
- Modified
- 2023-11-08T04:11:52.109563Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- github.com/ipfs/go-bitswap vulnerable to DOS unbounded persistent memory leak
- Details
-
This package has been moved to <code>github.com/ipfs/boxo/bitswap</code>, this vulnerability is tracked there: https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5 (
CVE-2023-25568)Remediation
This is a two step process: 1. Apply one of: - (recommended) upgrade from
github.com/ipfs/go-bitswaptogithub.com/ipfs/boxo/bitswap. - If you are still usinggithub.com/ipfs/go-bitswapand cannot upgrade toboxo, you can upgrade togithub.com/ipfs/go-bitswap@v0.12.0, this will replace thego-bitswapimplementation by stubs which points toboxo. 2. Open https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5 and then followboxo's remediation section.Vulnerable symbols
>= v0.9.0; < v0.12.0github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).MessageReceivedgithub.com/ipfs/go-bitswap/server/internal/decision.(*Engine).NotifyNewBlocksgithub.com/ipfs/go-bitswap/server/internal/decision.(*Engine).findOrCreategithub.com/ipfs/go-bitswap/server/internal/decision.(*Engine).PeerConnected
v0.8.0github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceivedgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).NotifyNewBlocksgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreategithub.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
< v0.8.0github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceivedgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).receiveBlocksFromgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreategithub.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
Workarounds
If you are using the stubs at
github.com/ipfs/go-bitswapand not taking advantage of the features provided by the server, refactoring your code to use the new split API will allows you to run in a client-only mode using: <code>github.com/ipfs/go-bitswap/client</code>. - Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2023-05-11T20:39:55Z", "cwe_ids": [ "CWE-400", "CWE-770" ], "severity": "HIGH", "github_reviewed": true }- References
-
- https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5
- https://github.com/ipfs/go-bitswap/security/advisories/GHSA-q3j6-22wf-3jh9
- https://github.com/ipfs/go-libipfs/security/advisories/GHSA-m974-xj4j-7qv5
- https://nvd.nist.gov/vuln/detail/CVE-2023-25568
- https://github.com/ipfs/boxo/commit/62cbac40b96f49e39cd7fedc77ee6b56adce4916
- https://github.com/ipfs/boxo/commit/9cb5cb54d40b57084d1221ba83b9e6bb3fcc3197
- https://github.com/ipfs/go-bitswap
Affected packages
Go / github.com/ipfs/go-bitswap
Package
- Name
- github.com/ipfs/go-bitswap
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/ipfs/go-bitswap