CVE-2023-23626

Опубликовано: 09 фев. 2023

Источник: nvd

CVSS3: 5.9

CVSS3: 7.5

EPSS Низкий

Описание

go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of NewBitfield and FromBytes functions, an attacker can trigger panics. This happen when the size is a not a multiple of 8 or is negative. There were already a note in the NewBitfield documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that size is a multiple of 8 before calling NewBitfield or FromBytes.

Ссылки

https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579
Patch
https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r
Exploit
Patch
Vendor Advisory
https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579
Patch
https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r
Exploit
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:protocol:go-bitfield:*:*:*:*:*:go:*:*

Версия до 1.1.0 (исключая)

EPSS

Процентиль: 47%

0.00239

Низкий

5.9 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-754

CWE-1284

Связанные уязвимости

GHSA-2h6c-j3gf-xp9r

CVSS3: 5.9

github

почти 3 года назад

IPFS go-bitfield vulnerable to DoS via malformed size arguments

EPSS

Процентиль: 47%

0.00239

Низкий

5.9 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-754

CWE-1284