{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40583", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-16T18:24:02.391Z", "datePublished": "2023-08-25T20:25:28.297Z", "dateUpdated": "2024-08-02T18:38:50.867Z"}, "containers": {"cna": {"title": "libp2p nodes vulnerable to OOM attack", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"}, {"name": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd", "tags": ["x_refsource_MISC"], "url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"}, {"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"}, {"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"}], "affected": [{"vendor": "libp2p", "product": "go-libp2p", "versions": [{"version": "< 0.27.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-25T20:25:28.297Z"}, "descriptions": [{"lang": "en", "value": "libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node\u2019s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4."}], "source": {"advisory": "GHSA-gcq9-qqwx-rgj3", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:38:50.867Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"}, {"name": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"}, {"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"}, {"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:*", "matchCriteriaId": "C5F4582C-9B6B-41FB-99E1-C3B2CB0E19AD", "versionEndExcluding": "0.27.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node\u2019s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4."}, {"lang": "es", "value": "libp2p es una pila de red y una biblioteca modularizada a partir del Proyecto IPFS, y empaquetada por separado para que otras herramientas puedan utilizarla. En go-libp2p, mediante el uso de registros de pares firmados, un actor malicioso puede almacenar una cantidad arbitraria de datos en la memoria de un nodo remoto. Esta memoria no se recoge de la basura, por lo que la v\u00edctima puede quedarse sin memoria y bloquearse. Si los usuarios de go-libp2p en producci\u00f3n no monitorizan el consumo de memoria a lo largo del tiempo, podr\u00eda tratarse de un ataque silencioso, es decir, el atacante podr\u00eda hacer caer nodos durante un periodo de tiempo (el tiempo depende de los recursos del nodo, es decir, un nodo go-libp2p en un servidor virtual con 4 gb de memoria tarda unos 90 segundos en caerse; en un servidor m\u00e1s grande, podr\u00eda tardar un poco m\u00e1s). Este problema fue corregido en la versi\u00f3n 0.27.4.\n"}], "id": "CVE-2023-40583", "lastModified": "2023-09-01T13:10:55.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-08-25T21:15:09.000", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}