CVE-2022-23486 - OpenCVE

Vendors	Products
Protocol	Libp2p

Link	Providers
https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-23486", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "dateReserved": "2022-01-19T21:23:53.761Z", "datePublished": "2022-12-07T20:03:35.212Z", "dateUpdated": "2024-08-03T03:43:46.072Z"}, "containers": {"cna": {"title": "libp2p-rust denial of service vulnerability from lack of resource management", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8"}], "affected": [{"vendor": "libp2p", "product": "rust-libp2p", "versions": [{"version": "< 0.45.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-07T20:03:35.212Z"}, "descriptions": [{"lang": "en", "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim\u2019s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/."}], "source": {"advisory": "GHSA-jvgw-gccv-q5p8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.072Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:protocol:libp2p:*:*:*:*:*:rust:*:*", "matchCriteriaId": "2245C53F-5AB7-4E50-8872-54C2CA002674", "versionEndExcluding": "0.45.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim\u2019s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/."}, {"lang": "es", "value": "libp2p-rust es la implementaci\u00f3n oficial del lenguaje Rust de la pila de redes libp2p. En versiones anteriores a la 0.45.1, un nodo atacante puede hacer que un nodo v\u00edctima asigne una gran cantidad de peque\u00f1os fragmentos de memoria, lo que en \u00faltima instancia puede provocar que el proceso de la v\u00edctima se quede sin memoria y, por lo tanto, su sistema operativo lo elimine. Cuando se ejecuta continuamente, esto puede conducir a un ataque de Denegaci\u00f3n de Servicio (DoS), especialmente relevante a mayor escala cuando se ejecuta contra m\u00e1s de un nodo de una red basada en libp2p. Se recomienda a los usuarios actualizar a `libp2p` `v0.45.1` o superior. Los usuarios que no puedan actualizar deben consultar la p\u00e1gina de Mitigaci\u00f3n de DoS para obtener m\u00e1s informaci\u00f3n sobre c\u00f3mo incorporar estrategias de mitigaci\u00f3n, monitorizar su aplicaci\u00f3n y responder a los ataques: https://docs.libp2p.io/reference/dos-mitigation/."}], "id": "CVE-2022-23486", "lastModified": "2023-07-14T19:10:15.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-12-07T21:15:10.183", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object