Search criteria
9 vulnerabilities by IPFS
CVE-2023-25568 (GCVE-0-2023-25568)
Vulnerability from cvelistv5 – Published: 2023-05-10 00:00 – Updated: 2025-02-13 16:44
VLAI?
Summary
Boxo, formerly known as go-libipfs, is a library for building IPFS applications and implementations. In versions 0.4.0 and 0.5.0, if an attacker is able allocate arbitrary many bytes in the Bitswap server, those allocations are lasting even if the connection is closed. This affects users accepting untrusted connections with the Bitswap server and also affects users using the old API stubs at `github.com/ipfs/go-libipfs/bitswap` because users then transitively import `github.com/ipfs/go-libipfs/bitswap/server`. Boxo versions 0.6.0 and 0.4.1 contain a patch for this issue. As a workaround, those who are using the stub object at `github.com/ipfs/go-libipfs/bitswap` not taking advantage of the features provided by the server can refactor their code to use the new split API that will allow them to run in a client only mode: `github.com/ipfs/go-libipfs/bitswap/client`.
Severity ?
8.2 (High)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:19.272Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ipfs/boxo/commit/62cbac40b96f49e39cd7fedc77ee6b56adce4916"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ipfs/boxo/commit/9cb5cb54d40b57084d1221ba83b9e6bb3fcc3197"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ipfs/boxo/commit/baa748b682fabb21a4c1f7628a8af348d4645974"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ipfs/go-libipfs/security/advisories/GHSA-m974-xj4j-7qv5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25568",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T21:33:49.089709Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T21:34:11.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "boxo",
"vendor": "ipfs",
"versions": [
{
"status": "affected",
"version": "0.4.0"
},
{
"status": "affected",
"version": "0.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Boxo, formerly known as go-libipfs, is a library for building IPFS applications and implementations. In versions 0.4.0 and 0.5.0, if an attacker is able allocate arbitrary many bytes in the Bitswap server, those allocations are lasting even if the connection is closed. This affects users accepting untrusted connections with the Bitswap server and also affects users using the old API stubs at `github.com/ipfs/go-libipfs/bitswap` because users then transitively import `github.com/ipfs/go-libipfs/bitswap/server`. Boxo versions 0.6.0 and 0.4.1 contain a patch for this issue. As a workaround, those who are using the stub object at `github.com/ipfs/go-libipfs/bitswap` not taking advantage of the features provided by the server can refactor their code to use the new split API that will allow them to run in a client only mode: `github.com/ipfs/go-libipfs/bitswap/client`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-10T13:30:09.142Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/ipfs/boxo/commit/62cbac40b96f49e39cd7fedc77ee6b56adce4916"
},
{
"url": "https://github.com/ipfs/boxo/commit/9cb5cb54d40b57084d1221ba83b9e6bb3fcc3197"
},
{
"url": "https://github.com/ipfs/boxo/commit/baa748b682fabb21a4c1f7628a8af348d4645974"
},
{
"url": "https://github.com/ipfs/go-libipfs/security/advisories/GHSA-m974-xj4j-7qv5"
}
],
"source": {
"advisory": "GHSA-m974-xj4j-7qv5",
"defect": [
"GHSA-m974-xj4j-7qv5"
],
"discovery": "UNKNOWN"
},
"title": "Boxo bitswap/server: DOS unbounded persistent memory leak",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25568",
"datePublished": "2023-05-10T00:00:00.000Z",
"dateReserved": "2023-02-07T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:44:30.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23625 (GCVE-0-2023-23625)
Vulnerability from cvelistv5 – Published: 2023-02-09 20:57 – Updated: 2025-03-10 21:13
VLAI?
Summary
go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.
Severity ?
5.9 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.626Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778"
},
{
"name": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:57:57.598014Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:13:58.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go-unixfs",
"vendor": "ipfs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-09T20:57:22.072Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778"
},
{
"name": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175"
}
],
"source": {
"advisory": "GHSA-q264-w97q-q778",
"discovery": "UNKNOWN"
},
"title": "Denial of service in HAMT Decoding in go-unixfs "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23625",
"datePublished": "2023-02-09T20:57:22.072Z",
"dateReserved": "2023-01-16T17:07:46.244Z",
"dateUpdated": "2025-03-10T21:13:58.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23626 (GCVE-0-2023-23626)
Vulnerability from cvelistv5 – Published: 2023-02-09 20:54 – Updated: 2025-03-10 21:14
VLAI?
Summary
go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s. This happen when the `size` is a not a multiple of `8` or is negative. There were already a note in the `NewBitfield` documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that `size` is a multiple of 8 before calling `NewBitfield` or `FromBytes`.
Severity ?
5.9 (Medium)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ipfs | go-bitfield |
Affected:
< 1.1.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.661Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r"
},
{
"name": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23626",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:01:02.599125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:14:05.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go-bitfield",
"vendor": "ipfs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s. This happen when the `size` is a not a multiple of `8` or is negative. There were already a note in the `NewBitfield` documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that `size` is a multiple of 8 before calling `NewBitfield` or `FromBytes`.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-09T20:54:07.075Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r"
},
{
"name": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579"
}
],
"source": {
"advisory": "GHSA-2h6c-j3gf-xp9r",
"discovery": "UNKNOWN"
},
"title": "Denial of service when feeding malformed size arguments in go-bitfield"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23626",
"datePublished": "2023-02-09T20:54:07.075Z",
"dateReserved": "2023-01-16T17:07:46.244Z",
"dateUpdated": "2025-03-10T21:14:05.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23631 (GCVE-0-2023-23631)
Vulnerability from cvelistv5 – Published: 2023-02-09 20:46 – Updated: 2025-03-10 21:14
VLAI?
Summary
github.com/ipfs/go-unixfsnode is an ADL IPLD prime node that wraps go-codec-dagpb's implementation of protobuf to enable pathing. In versions priot to 1.5.2 trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks.
If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.9 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ipfs | go-unixfsnode |
Affected:
< 1.5.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.625Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc"
},
{
"name": "https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076"
},
{
"name": "https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68"
},
{
"name": "https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23631",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:01.028428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:14:10.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go-unixfsnode",
"vendor": "ipfs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "github.com/ipfs/go-unixfsnode is an ADL IPLD prime node that wraps go-codec-dagpb\u0027s implementation of protobuf to enable pathing. In versions priot to 1.5.2 trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks.\nIf you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-09T20:46:22.930Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc"
},
{
"name": "https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076"
},
{
"name": "https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68"
},
{
"name": "https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122"
}
],
"source": {
"advisory": "GHSA-4gj3-6r43-3wfc",
"discovery": "UNKNOWN"
},
"title": "HAMT Decoding Panics in github.com/ipfs/go-unixfsnode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23631",
"datePublished": "2023-02-09T20:46:22.930Z",
"dateReserved": "2023-01-16T17:07:46.245Z",
"dateUpdated": "2025-03-10T21:14:10.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23495 (GCVE-0-2022-23495)
Vulnerability from cvelistv5 – Published: 2022-12-08 21:25 – Updated: 2025-04-23 16:31
VLAI?
Summary
go-merkledag implements the 'DAGService' interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don't allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.
Severity ?
7.5 (High)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ipfs | go-merkledag |
Affected:
>= 0.4.0, < 0.8.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46"
},
{
"name": "https://github.com/ipfs/go-merkledag/issues/90",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-merkledag/issues/90"
},
{
"name": "https://github.com/ipfs/kubo/issues/9297",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/kubo/issues/9297"
},
{
"name": "https://github.com/ipfs/go-merkledag/pull/91",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-merkledag/pull/91"
},
{
"name": "https://github.com/ipfs/go-merkledag/pull/92",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-merkledag/pull/92"
},
{
"name": "https://github.com/ipfs/go-merkledag/pull/93",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-merkledag/pull/93"
},
{
"name": "https://en.wikipedia.org/wiki/Directed_acyclic_graph",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://en.wikipedia.org/wiki/Directed_acyclic_graph"
},
{
"name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0"
},
{
"name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23495",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:01.494241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:31:04.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go-merkledag",
"vendor": "ipfs",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.4.0, \u003c 0.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "go-merkledag implements the \u0027DAGService\u0027 interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don\u0027t allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-08T21:25:40.257Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46"
},
{
"name": "https://github.com/ipfs/go-merkledag/issues/90",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-merkledag/issues/90"
},
{
"name": "https://github.com/ipfs/kubo/issues/9297",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/kubo/issues/9297"
},
{
"name": "https://github.com/ipfs/go-merkledag/pull/91",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-merkledag/pull/91"
},
{
"name": "https://github.com/ipfs/go-merkledag/pull/92",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-merkledag/pull/92"
},
{
"name": "https://github.com/ipfs/go-merkledag/pull/93",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-merkledag/pull/93"
},
{
"name": "https://en.wikipedia.org/wiki/Directed_acyclic_graph",
"tags": [
"x_refsource_MISC"
],
"url": "https://en.wikipedia.org/wiki/Directed_acyclic_graph"
},
{
"name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0"
},
{
"name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1"
}
],
"source": {
"advisory": "GHSA-x39j-h85h-3f46",
"discovery": "UNKNOWN"
},
"title": "ProtoNode may be modified such that common method calls may panic in ipfs/go-merkledag"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23495",
"datePublished": "2022-12-08T21:25:40.257Z",
"dateReserved": "2022-01-19T21:23:53.766Z",
"dateUpdated": "2025-04-23T16:31:04.725Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26283 (GCVE-0-2020-26283)
Vulnerability from cvelistv5 – Published: 2021-03-24 20:30 – Updated: 2024-08-04 15:56
VLAI?
Summary
go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0, control characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action. This is fixed in version 0.8.0.
Severity ?
6.8 (Medium)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.593Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ipfs/go-ipfs/security/advisories/GHSA-r4gv-vj59-cccm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-ipfs/pull/7831"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-ipfs/commit/fb0a9acd2d8288bd1028c3219a420de62a09683a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-ipfs",
"vendor": "ipfs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0, control characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action. This is fixed in version 0.8.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-24T20:30:19",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ipfs/go-ipfs/security/advisories/GHSA-r4gv-vj59-cccm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-ipfs/pull/7831"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-ipfs/commit/fb0a9acd2d8288bd1028c3219a420de62a09683a"
}
],
"source": {
"advisory": "GHSA-r4gv-vj59-cccm",
"discovery": "UNKNOWN"
},
"title": "Control character injection in console output",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26283",
"STATE": "PUBLIC",
"TITLE": "Control character injection in console output"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "go-ipfs",
"version": {
"version_data": [
{
"version_value": "\u003c 0.8.0"
}
]
}
}
]
},
"vendor_name": "ipfs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0, control characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action. This is fixed in version 0.8.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-116 Improper Encoding or Escaping of Output"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ipfs/go-ipfs/security/advisories/GHSA-r4gv-vj59-cccm",
"refsource": "CONFIRM",
"url": "https://github.com/ipfs/go-ipfs/security/advisories/GHSA-r4gv-vj59-cccm"
},
{
"name": "https://github.com/ipfs/go-ipfs/pull/7831",
"refsource": "MISC",
"url": "https://github.com/ipfs/go-ipfs/pull/7831"
},
{
"name": "https://github.com/ipfs/go-ipfs/commit/fb0a9acd2d8288bd1028c3219a420de62a09683a",
"refsource": "MISC",
"url": "https://github.com/ipfs/go-ipfs/commit/fb0a9acd2d8288bd1028c3219a420de62a09683a"
}
]
},
"source": {
"advisory": "GHSA-r4gv-vj59-cccm",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26283",
"datePublished": "2021-03-24T20:30:19",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26279 (GCVE-0-2020-26279)
Vulnerability from cvelistv5 – Published: 2021-03-24 20:20 – Updated: 2024-08-04 15:56
VLAI?
Summary
go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0-rc1, it is possible for path traversal to occur with DAGs containing relative paths during retrieval. This can cause files to be overwritten, or written to incorrect output directories. The issue can only occur when a get is done on an affected DAG. This is fixed in version 0.8.0-rc1.
Severity ?
7.7 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ipfs/go-ipfs/security/advisories/GHSA-27pv-q55r-222g"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ipfs/go-ipfs/commit/b7ddba7fe47dee5b1760b8ffe897908417e577b2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-ipfs",
"vendor": "ipfs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.0-rc1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0-rc1, it is possible for path traversal to occur with DAGs containing relative paths during retrieval. This can cause files to be overwritten, or written to incorrect output directories. The issue can only occur when a get is done on an affected DAG. This is fixed in version 0.8.0-rc1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-24T20:20:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ipfs/go-ipfs/security/advisories/GHSA-27pv-q55r-222g"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ipfs/go-ipfs/commit/b7ddba7fe47dee5b1760b8ffe897908417e577b2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227"
}
],
"source": {
"advisory": "GHSA-27pv-q55r-222g",
"discovery": "UNKNOWN"
},
"title": "Path traversal",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26279",
"STATE": "PUBLIC",
"TITLE": "Path traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "go-ipfs",
"version": {
"version_data": [
{
"version_value": "\u003c 0.8.0-rc1"
}
]
}
}
]
},
"vendor_name": "ipfs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0-rc1, it is possible for path traversal to occur with DAGs containing relative paths during retrieval. This can cause files to be overwritten, or written to incorrect output directories. The issue can only occur when a get is done on an affected DAG. This is fixed in version 0.8.0-rc1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ipfs/go-ipfs/security/advisories/GHSA-27pv-q55r-222g",
"refsource": "CONFIRM",
"url": "https://github.com/ipfs/go-ipfs/security/advisories/GHSA-27pv-q55r-222g"
},
{
"name": "https://github.com/ipfs/go-ipfs/commit/b7ddba7fe47dee5b1760b8ffe897908417e577b2",
"refsource": "MISC",
"url": "https://github.com/ipfs/go-ipfs/commit/b7ddba7fe47dee5b1760b8ffe897908417e577b2"
},
{
"name": "https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227",
"refsource": "MISC",
"url": "https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227"
}
]
},
"source": {
"advisory": "GHSA-27pv-q55r-222g",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26279",
"datePublished": "2021-03-24T20:20:14",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11059 (GCVE-0-2020-11059)
Vulnerability from cvelistv5 – Published: 2020-05-27 20:55 – Updated: 2024-08-04 11:21
VLAI?
Summary
In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir publish and aegir build may leak secrets from environment variables in the browser bundle published to npm. This has been fixed in 21.10.1.
Severity ?
9.6 (Critical)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.488Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ipfs/aegir/security/advisories/GHSA-qfcv-5whw-7pcw"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AEgir",
"vendor": "IPFS",
"versions": [
{
"status": "affected",
"version": "\u003e= 21.7.0, \u003c 21.10.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir publish and aegir build may leak secrets from environment variables in the browser bundle published to npm. This has been fixed in 21.10.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-27T20:55:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ipfs/aegir/security/advisories/GHSA-qfcv-5whw-7pcw"
}
],
"source": {
"advisory": "GHSA-qfcv-5whw-7pcw",
"discovery": "UNKNOWN"
},
"title": "Exposure of Sensitive Information to an Unauthorized Actor in AEgir",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11059",
"STATE": "PUBLIC",
"TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in AEgir"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "AEgir",
"version": {
"version_data": [
{
"version_value": "\u003e= 21.7.0, \u003c 21.10.1"
}
]
}
}
]
},
"vendor_name": "IPFS"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir publish and aegir build may leak secrets from environment variables in the browser bundle published to npm. This has been fixed in 21.10.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ipfs/aegir/security/advisories/GHSA-qfcv-5whw-7pcw",
"refsource": "CONFIRM",
"url": "https://github.com/ipfs/aegir/security/advisories/GHSA-qfcv-5whw-7pcw"
}
]
},
"source": {
"advisory": "GHSA-qfcv-5whw-7pcw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11059",
"datePublished": "2020-05-27T20:55:10",
"dateReserved": "2020-03-30T00:00:00",
"dateUpdated": "2024-08-04T11:21:14.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10563 (GCVE-0-2016-10563)
Vulnerability from cvelistv5 – Published: 2018-05-31 20:00 – Updated: 2024-09-16 18:49
VLAI?
Summary
During the installation process, the go-ipfs-deps module before 0.4.4 insecurely downloads resources over HTTP. This allows for a MITM attack to compromise the integrity of the resources used by this module and could allow for further compromise.
Severity ?
No CVSS data available.
CWE
- CWE-311 - Missing Encryption of Sensitive Data (CWE-311)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | go-ipfs-dep node module |
Affected:
<0.4.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:30:18.477Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/156"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/diasdavid/go-ipfs-dep/pull/12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-ipfs-dep node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c0.4.4"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "During the installation process, the go-ipfs-deps module before 0.4.4 insecurely downloads resources over HTTP. This allows for a MITM attack to compromise the integrity of the resources used by this module and could allow for further compromise."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "Missing Encryption of Sensitive Data (CWE-311)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-31T19:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/156"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/diasdavid/go-ipfs-dep/pull/12"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2016-10563",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "go-ipfs-dep node module",
"version": {
"version_data": [
{
"version_value": "\u003c0.4.4"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "During the installation process, the go-ipfs-deps module before 0.4.4 insecurely downloads resources over HTTP. This allows for a MITM attack to compromise the integrity of the resources used by this module and could allow for further compromise."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Encryption of Sensitive Data (CWE-311)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodesecurity.io/advisories/156",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/156"
},
{
"name": "https://github.com/diasdavid/go-ipfs-dep/pull/12",
"refsource": "MISC",
"url": "https://github.com/diasdavid/go-ipfs-dep/pull/12"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2016-10563",
"datePublished": "2018-05-31T20:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-16T18:49:48.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}