CVE-2023-23625 - OpenCVE

go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Protocol	Go-unixfs

Configuration 1 [-]

cpe:2.3:a:protocol:go-unixfs:*:*:*:*:*:go:*:*

No data.

References

Link	Providers
https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175
https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-02-09T20:57:22.072Z

Updated: 2024-08-02T10:35:33.626Z

Reserved: 2023-01-16T17:07:46.244Z

Link: CVE-2023-23625

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-02-09T21:15:11.327

Modified: 2023-11-07T04:07:50.273

Link: CVE-2023-23625

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-23625", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-16T17:07:46.244Z", "datePublished": "2023-02-09T20:57:22.072Z", "dateUpdated": "2024-08-02T10:35:33.626Z"}, "containers": {"cna": {"title": "Denial of service in HAMT Decoding in go-unixfs ", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778"}, {"name": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175", "tags": ["x_refsource_MISC"], "url": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175"}], "affected": [{"vendor": "ipfs", "product": "go-unixfs", "versions": [{"version": "< 0.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-02-09T20:57:22.072Z"}, "descriptions": [{"lang": "en", "value": "go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.\n"}], "source": {"advisory": "GHSA-q264-w97q-q778", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.626Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778"}, {"name": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:protocol:go-unixfs:*:*:*:*:*:go:*:*", "matchCriteriaId": "E633DAAE-3CBA-4C87-BFF2-8CDBDFC2D211", "versionEndExcluding": "0.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.\n"}], "id": "CVE-2023-23625", "lastModified": "2023-11-07T04:07:50.273", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-02-09T21:15:11.327", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}