cvelistv5 - cve-2022-23492

CVE-2022-23492 (GCVE-0-2022-23492)

Vulnerability from cvelistv5 – Published: 2022-12-08 00:08 – Updated: 2025-04-23 16:31

Summary

go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/libp2p/go-libp2p/security/advi…	x_refsource_CONFIRM
	https://github.com/libp2p/go-libp2p/commit/15d7df…	x_refsource_MISC
	https://docs.libp2p.io/reference/dos-mitigation/	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	libp2p	go-libp2p	Affected: < 0.18.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:43:46.122Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
          },
          {
            "name": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
          },
          {
            "name": "https://docs.libp2p.io/reference/dos-mitigation/",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.libp2p.io/reference/dos-mitigation/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23492",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:48:12.746050Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:31:24.219Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-libp2p",
          "vendor": "libp2p",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.18.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks. "
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-08T00:08:11.210Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
        },
        {
          "name": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
        },
        {
          "name": "https://docs.libp2p.io/reference/dos-mitigation/",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.libp2p.io/reference/dos-mitigation/"
        }
      ],
      "source": {
        "advisory": "GHSA-j7qp-mfxf-8xjw",
        "discovery": "UNKNOWN"
      },
      "title": "go-libp2p denial of service vulnerability from lack of resource management"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23492",
    "datePublished": "2022-12-08T00:08:11.210Z",
    "dateReserved": "2022-01-19T21:23:53.765Z",
    "dateUpdated": "2025-04-23T16:31:24.219Z",
    "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:*\", \"versionEndExcluding\": \"0.18.0\", \"matchCriteriaId\": \"DC28B9D1-484A-4395-BDF7-C238C07EB7C1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks. \"}, {\"lang\": \"es\", \"value\": \"go-libp2p es la implementaci\\u00f3n oficial de libp2p en el lenguaje de programaci\\u00f3n Go. La versi\\u00f3n `0.18.0` y anteriores de go-libp2p son vulnerables a ataques de agotamiento de recursos dirigidos. Estos ataques tienen como objetivo la gesti\\u00f3n de conexi\\u00f3n, flujo, pares y memoria de libp2p. Un atacante puede provocar la asignaci\\u00f3n de grandes cantidades de memoria, lo que en \\u00faltima instancia lleva a que el sistema operativo del host elimine el proceso. Si bien un administrador de conexiones encargado de mantener la cantidad de conexiones dentro de los l\\u00edmites manejables ha sido parte de go-libp2p, este componente fue dise\\u00f1ado para manejar la rotaci\\u00f3n regular de pares, no un ataque de agotamiento de recursos dirigido. Se recomienda a los usuarios que actualicen su versi\\u00f3n de go-libp2p a la versi\\u00f3n `0.18.1` o m\\u00e1s reciente. Los usuarios que no puedan actualizar pueden consultar la p\\u00e1gina de mitigaci\\u00f3n de Denegaci\\u00f3n de Servicio (DoS) (dos) para obtener m\\u00e1s informaci\\u00f3n sobre c\\u00f3mo incorporar estrategias de mitigaci\\u00f3n, monitorizar su aplicaci\\u00f3n y responder a los ataques.\"}]",
      "id": "CVE-2022-23492",
      "lastModified": "2024-11-21T06:48:40.450",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2022-12-08T01:15:09.697",
      "references": "[{\"url\": \"https://docs.libp2p.io/reference/dos-mitigation/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"https://docs.libp2p.io/reference/dos-mitigation/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-770\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-23492\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-12-08T01:15:09.697\",\"lastModified\":\"2024-11-21T06:48:40.450\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks. \"},{\"lang\":\"es\",\"value\":\"go-libp2p es la implementaci\u00f3n oficial de libp2p en el lenguaje de programaci\u00f3n Go. La versi\u00f3n `0.18.0` y anteriores de go-libp2p son vulnerables a ataques de agotamiento de recursos dirigidos. Estos ataques tienen como objetivo la gesti\u00f3n de conexi\u00f3n, flujo, pares y memoria de libp2p. Un atacante puede provocar la asignaci\u00f3n de grandes cantidades de memoria, lo que en \u00faltima instancia lleva a que el sistema operativo del host elimine el proceso. Si bien un administrador de conexiones encargado de mantener la cantidad de conexiones dentro de los l\u00edmites manejables ha sido parte de go-libp2p, este componente fue dise\u00f1ado para manejar la rotaci\u00f3n regular de pares, no un ataque de agotamiento de recursos dirigido. Se recomienda a los usuarios que actualicen su versi\u00f3n de go-libp2p a la versi\u00f3n `0.18.1` o m\u00e1s reciente. Los usuarios que no puedan actualizar pueden consultar la p\u00e1gina de mitigaci\u00f3n de Denegaci\u00f3n de Servicio (DoS) (dos) para obtener m\u00e1s informaci\u00f3n sobre c\u00f3mo incorporar estrategias de mitigaci\u00f3n, monitorizar su aplicaci\u00f3n y responder a los ataques.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"0.18.0\",\"matchCriteriaId\":\"DC28B9D1-484A-4395-BDF7-C238C07EB7C1\"}]}]}],\"references\":[{\"url\":\"https://docs.libp2p.io/reference/dos-mitigation/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://docs.libp2p.io/reference/dos-mitigation/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw\", \"name\": \"https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de\", \"name\": \"https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://docs.libp2p.io/reference/dos-mitigation/\", \"name\": \"https://docs.libp2p.io/reference/dos-mitigation/\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T03:43:46.122Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-23492\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T15:48:12.746050Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T15:48:14.662Z\"}}], \"cna\": {\"title\": \"go-libp2p denial of service vulnerability from lack of resource management\", \"source\": {\"advisory\": \"GHSA-j7qp-mfxf-8xjw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"libp2p\", \"product\": \"go-libp2p\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.18.0\"}]}], \"references\": [{\"url\": \"https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw\", \"name\": \"https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de\", \"name\": \"https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.libp2p.io/reference/dos-mitigation/\", \"name\": \"https://docs.libp2p.io/reference/dos-mitigation/\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks. \"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-12-08T00:08:11.210Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-23492\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T16:31:24.219Z\", \"dateReserved\": \"2022-01-19T21:23:53.765Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-12-08T00:08:11.210Z\", \"requesterUserId\": \"c184a3d9-dc98-4c48-a45b-d2d88cf0ac74\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2022-23492

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-23492

Aliases

CVE-2022-23492

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-23492",
    "id": "GSD-2022-23492"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-23492"
      ],
      "details": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.",
      "id": "GSD-2022-23492",
      "modified": "2023-12-13T01:19:35.120724Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-23492",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "go-libp2p",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 0.18.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "libp2p"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-400",
                "lang": "eng",
                "value": "CWE-400: Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
            "refsource": "MISC",
            "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
          },
          {
            "name": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
            "refsource": "MISC",
            "url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
          },
          {
            "name": "https://docs.libp2p.io/reference/dos-mitigation/",
            "refsource": "MISC",
            "url": "https://docs.libp2p.io/reference/dos-mitigation/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-j7qp-mfxf-8xjw",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv0.18.1",
          "affected_versions": "All versions before 0.18.1",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2022-12-08",
          "description": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.",
          "fixed_versions": [
            "v0.18.1"
          ],
          "identifier": "CVE-2022-23492",
          "identifiers": [
            "GHSA-j7qp-mfxf-8xjw",
            "CVE-2022-23492"
          ],
          "not_impacted": "All versions starting from 0.18.1",
          "package_slug": "go/github.com/libp2p/go-libp2p",
          "pubdate": "2022-12-07",
          "solution": "Upgrade to version 0.18.1 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
            "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
            "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-23492",
            "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
            "https://docs.libp2p.io/reference/dos-mitigation/",
            "https://github.com/advisories/GHSA-j7qp-mfxf-8xjw"
          ],
          "uuid": "7c6533cd-7d2e-472d-95d2-717a1c9dea1c",
          "versions": [
            {
              "commit": {
                "sha": "c32387c449b08892c6edd02dee8c39140e2e8e8a",
                "tags": [
                  "v0.18.1"
                ],
                "timestamp": "20220411201703"
              },
              "number": "v0.18.1"
            }
          ]
        },
        {
          "affected_range": "\u003cv0.18.0",
          "affected_versions": "All versions before 0.18.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2023-02-09",
          "description": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.",
          "fixed_versions": [
            "v0.18.0"
          ],
          "identifier": "CVE-2022-23492",
          "identifiers": [
            "GHSA-j7qp-mfxf-8xjw",
            "CVE-2022-23492"
          ],
          "not_impacted": "All versions starting from 0.18.0",
          "package_slug": "go/github.com/libp2p/go-libp2p/config",
          "pubdate": "2022-12-07",
          "solution": "Upgrade to version 0.18.0 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
            "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
            "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-23492",
            "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
            "https://docs.libp2p.io/reference/dos-mitigation/",
            "https://pkg.go.dev/vuln/GO-2022-1148",
            "https://github.com/advisories/GHSA-j7qp-mfxf-8xjw"
          ],
          "uuid": "cf24e89b-1f30-41cf-82af-3416132dcc24",
          "versions": [
            {
              "commit": {
                "sha": "5bab5811001a3442f3dabeec03a1c045cc9ef88a",
                "tags": [
                  "v0.18.0"
                ],
                "timestamp": "20220318075225"
              },
              "number": "v0.18.0"
            }
          ]
        },
        {
          "affected_range": "\u003cv0.18.0",
          "affected_versions": "All versions before 0.18.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2023-02-09",
          "description": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.",
          "fixed_versions": [
            "v0.18.0"
          ],
          "identifier": "CVE-2022-23492",
          "identifiers": [
            "GHSA-j7qp-mfxf-8xjw",
            "CVE-2022-23492"
          ],
          "not_impacted": "All versions starting from 0.18.0",
          "package_slug": "go/github.com/libp2p/go-libp2p/p2p/host/autonat",
          "pubdate": "2022-12-07",
          "solution": "Upgrade to version 0.18.0 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
            "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
            "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-23492",
            "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
            "https://docs.libp2p.io/reference/dos-mitigation/",
            "https://pkg.go.dev/vuln/GO-2022-1148",
            "https://github.com/advisories/GHSA-j7qp-mfxf-8xjw"
          ],
          "uuid": "658761f3-f774-452f-895a-3be1662ac780",
          "versions": [
            {
              "commit": {
                "sha": "5bab5811001a3442f3dabeec03a1c045cc9ef88a",
                "tags": [
                  "v0.18.0"
                ],
                "timestamp": "20220318075225"
              },
              "number": "v0.18.0"
            }
          ]
        },
        {
          "affected_range": "\u003cv0.18.0",
          "affected_versions": "All versions before 0.18.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2023-02-09",
          "description": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.",
          "fixed_versions": [
            "v0.18.0"
          ],
          "identifier": "CVE-2022-23492",
          "identifiers": [
            "GHSA-j7qp-mfxf-8xjw",
            "CVE-2022-23492"
          ],
          "not_impacted": "All versions starting from 0.18.0",
          "package_slug": "go/github.com/libp2p/go-libp2p/p2p/host/basic",
          "pubdate": "2022-12-07",
          "solution": "Upgrade to version 0.18.0 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
            "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
            "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-23492",
            "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
            "https://docs.libp2p.io/reference/dos-mitigation/",
            "https://pkg.go.dev/vuln/GO-2022-1148",
            "https://github.com/advisories/GHSA-j7qp-mfxf-8xjw"
          ],
          "uuid": "d1771b8a-423d-4a2e-8a56-1372192cba90",
          "versions": [
            {
              "commit": {
                "sha": "5bab5811001a3442f3dabeec03a1c045cc9ef88a",
                "tags": [
                  "v0.18.0"
                ],
                "timestamp": "20220318075225"
              },
              "number": "v0.18.0"
            }
          ]
        },
        {
          "affected_range": "\u003cv0.18.0",
          "affected_versions": "All versions before 0.18.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2023-02-09",
          "description": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.",
          "fixed_versions": [
            "v0.18.0"
          ],
          "identifier": "CVE-2022-23492",
          "identifiers": [
            "GHSA-j7qp-mfxf-8xjw",
            "CVE-2022-23492"
          ],
          "not_impacted": "All versions starting from 0.18.0",
          "package_slug": "go/github.com/libp2p/go-libp2p/p2p/protocol/circuitv1/relay",
          "pubdate": "2022-12-07",
          "solution": "Upgrade to version 0.18.0 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
            "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
            "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-23492",
            "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
            "https://docs.libp2p.io/reference/dos-mitigation/",
            "https://pkg.go.dev/vuln/GO-2022-1148",
            "https://github.com/advisories/GHSA-j7qp-mfxf-8xjw"
          ],
          "uuid": "fb661320-c372-4e86-ba17-18b3393a7dbc",
          "versions": [
            {
              "commit": {
                "sha": "5bab5811001a3442f3dabeec03a1c045cc9ef88a",
                "tags": [
                  "v0.18.0"
                ],
                "timestamp": "20220318075225"
              },
              "number": "v0.18.0"
            }
          ]
        },
        {
          "affected_range": "\u003cv0.18.0",
          "affected_versions": "All versions before 0.18.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2023-02-09",
          "description": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.",
          "fixed_versions": [
            "v0.18.0"
          ],
          "identifier": "CVE-2022-23492",
          "identifiers": [
            "GHSA-j7qp-mfxf-8xjw",
            "CVE-2022-23492"
          ],
          "not_impacted": "All versions starting from 0.18.0",
          "package_slug": "go/github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/client",
          "pubdate": "2022-12-07",
          "solution": "Upgrade to version 0.18.0 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
            "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
            "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-23492",
            "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
            "https://docs.libp2p.io/reference/dos-mitigation/",
            "https://pkg.go.dev/vuln/GO-2022-1148",
            "https://github.com/advisories/GHSA-j7qp-mfxf-8xjw"
          ],
          "uuid": "227ae878-1341-4159-b0bf-02d3788a5fec",
          "versions": [
            {
              "commit": {
                "sha": "5bab5811001a3442f3dabeec03a1c045cc9ef88a",
                "tags": [
                  "v0.18.0"
                ],
                "timestamp": "20220318075225"
              },
              "number": "v0.18.0"
            }
          ]
        },
        {
          "affected_range": "\u003cv0.18.0",
          "affected_versions": "All versions before 0.18.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2023-02-09",
          "description": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.",
          "fixed_versions": [
            "v0.18.0"
          ],
          "identifier": "CVE-2022-23492",
          "identifiers": [
            "GHSA-j7qp-mfxf-8xjw",
            "CVE-2022-23492"
          ],
          "not_impacted": "All versions starting from 0.18.0",
          "package_slug": "go/github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/relay",
          "pubdate": "2022-12-07",
          "solution": "Upgrade to version 0.18.0 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
            "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
            "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-23492",
            "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
            "https://docs.libp2p.io/reference/dos-mitigation/",
            "https://pkg.go.dev/vuln/GO-2022-1148",
            "https://github.com/advisories/GHSA-j7qp-mfxf-8xjw"
          ],
          "uuid": "0c36c4a5-8aba-4fc2-99cf-55e77c9998f7",
          "versions": [
            {
              "commit": {
                "sha": "5bab5811001a3442f3dabeec03a1c045cc9ef88a",
                "tags": [
                  "v0.18.0"
                ],
                "timestamp": "20220318075225"
              },
              "number": "v0.18.0"
            }
          ]
        },
        {
          "affected_range": "\u003cv0.18.0",
          "affected_versions": "All versions before 0.18.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2023-02-09",
          "description": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.",
          "fixed_versions": [
            "v0.18.0"
          ],
          "identifier": "CVE-2022-23492",
          "identifiers": [
            "GHSA-j7qp-mfxf-8xjw",
            "CVE-2022-23492"
          ],
          "not_impacted": "All versions starting from 0.18.0",
          "package_slug": "go/github.com/libp2p/go-libp2p/p2p/protocol/holepunch",
          "pubdate": "2022-12-07",
          "solution": "Upgrade to version 0.18.0 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
            "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
            "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-23492",
            "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
            "https://docs.libp2p.io/reference/dos-mitigation/",
            "https://pkg.go.dev/vuln/GO-2022-1148",
            "https://github.com/advisories/GHSA-j7qp-mfxf-8xjw"
          ],
          "uuid": "029d8afe-85cd-463d-a8ff-02359897b89e",
          "versions": [
            {
              "commit": {
                "sha": "5bab5811001a3442f3dabeec03a1c045cc9ef88a",
                "tags": [
                  "v0.18.0"
                ],
                "timestamp": "20220318075225"
              },
              "number": "v0.18.0"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.18.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-23492"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.libp2p.io/reference/dos-mitigation/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://docs.libp2p.io/reference/dos-mitigation/"
            },
            {
              "name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
            },
            {
              "name": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-07-14T19:22Z",
      "publishedDate": "2022-12-08T01:15Z"
    }
  }
}

GHSA-J7QP-MFXF-8XJW

Vulnerability from github – Published: 2022-12-07 23:13 – Updated: 2023-02-14 21:25

Summary

libp2p DoS vulnerability from lack of resource management

Details

Impact

Versions older than v0.18.0 of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack.

In the original version of the attack, the malicious node would continue opening new streams on a stream multiplexer that doesn’t provide sufficient back pressure (yamux or mplex). It is easy to defend against this one attack, but there are countless variations of this attack: * Opening streams and causing a non-trivial memory allocation (e.g., for multistream or protobuf parsing) * Creating a lot of sybil nodes and opening new connections across nodes

Patches (What to do as a go-libp2p consumer:)

Update your go-libp2p dependency to go-libp2p v0.18.0 or greater (current version as of publish date is v0.24.0.)
- Note: It's recommend that you update to v0.21.0 onwards as you’ll get some useful functionality that will help in production environments like better metrics around resource usage, Grafana dashboards around resource usage, allow list support, and default autoscaling limits. Please see the v0.21.0 release notes for more info.)
Determine appropriate limits for your application - go-libp2p sets up a resource manager with the default limits if none are provided. For default definitions please see limits_defaults.go. These limits are also set to automatically scale, this is done using the AutoScale method of the ScalingLimitConfig. We recommend you tune your limits as described here.
Configure your node to be attack resilient. See how to respond to an attack and identify misbehaving peers here. Then setup automatic blocking with fail2ban using canonical libp2p log lines: guide on how to do so here.

Examples

Lotus’ integration can be found in https://github.com/filecoin-project/lotus/blob/master/node/modules/lp2p/rcmgr.go. Lotus reads user-configured resource limits from a limits.json file into the root directory. This allows users to share their resource manager configuration independent of any other configurations.
Kubo’s (formerly go-ipfs) integration can be found in https://github.com/ipfs/go-ipfs/blob/master/core/node/libp2p/rcmgr.go. Kubo reads the limits from the IPFS config file.

Note: go-libp2p still implements the connection manager mentioned above. The connection manager is a component independent of the resource manager, which aims to keep the number of libp2p connections between a low and a high watermark. When modifying connection limits, it’s advantageous to keep the configuration of these components consistent, i.e., when setting a limit of N concurrent connections in the resource manager, the high watermark should be at most (and ideally slightly less) than N.

Workarounds

Although there are no workarounds within go-libp2p, some range of attacks can be mitigated using OS tools (like manually blocking malicious peers using iptables or ufw ) or making use of a load balancer in front of libp2p nodes.

However these require direct action & responsibility on your part and are no substitutes for upgrading go-libp2p. Therefore, we highly recommend upgrading your go-libp2p version for the way it enables tighter scoped limits and provides visibility into and easier reasoning about go-libp2p resource utilization.

References

Please see our DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.

Please see the related disclosure for rust-libp2p: https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8 and js-libp2p: https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv

For more information

If you have any questions or comments about this advisory email us at security@libp2p.io

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/libp2p/go-libp2p"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-07T23:13:02Z",
    "nvd_published_at": "2022-12-08T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nVersions older than `v0.18.0` of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack.\n\nIn the original version of the attack, the malicious node would continue opening new streams on a stream multiplexer that doesn\u2019t provide sufficient back pressure (yamux or mplex). It is easy to defend against this one attack, but there are countless variations of this attack:\n* Opening streams and causing a non-trivial memory allocation (e.g., for multistream or protobuf parsing)\n* Creating a lot of sybil nodes and opening new connections across nodes\n\n### Patches (What to do as a go-libp2p consumer:)\n1. Update your go-libp2p dependency to go-libp2p v0.18.0 or greater (current version as of publish date is [v0.24.0](https://github.com/libp2p/go-libp2p/releases/tag/v0.24.0).)\n    - Note: **It\u0027s recommend that you update to `v0.21.0` onwards** as you\u2019ll get some useful functionality that will help in production environments like better metrics around resource usage, Grafana dashboards around resource usage, allow list support, and default autoscaling limits. [Please see the v0.21.0 release notes for more info.](https://github.com/libp2p/go-libp2p/releases/tag/v0.21.0))\n\n2. Determine appropriate limits for your application - go-libp2p sets up a resource manager with the default limits if none are provided. For default definitions please see [limits_defaults.go](https://github.com/libp2p/go-libp2p/blob/master/p2p/host/resource-manager/limit_defaults.go). These limits are also set to automatically scale, this is done using the [AutoScale method of the ScalingLimitConfig](https://github.com/libp2p/go-libp2p/blob/master/p2p/host/resource-manager/README.md#scaling-limits). We recommend you [tune your limits as described here](https://github.com/libp2p/go-libp2p/blob/master/p2p/host/resource-manager/README.md#how-to-tune-your-limits).\n\n3. Configure your node to be attack resilient. See [how to respond to an attack and identify misbehaving peers here](https://docs.libp2p.io/concepts/security/dos-mitigation/#responding-to-an-attack). Then setup automatic blocking with fail2ban using canonical libp2p log lines: [guide on how to do so here](https://docs.libp2p.io/concepts/security/dos-mitigation/#how-to-automate-blocking-with-fail2ban).\n\n#### Examples\n* Lotus\u2019 integration can be found in https://github.com/filecoin-project/lotus/blob/master/node/modules/lp2p/rcmgr.go. Lotus reads user-configured resource limits from a limits.json file into the root directory. This allows users to share their resource manager configuration independent of any other configurations.\n* Kubo\u2019s (formerly go-ipfs) integration can be found in https://github.com/ipfs/go-ipfs/blob/master/core/node/libp2p/rcmgr.go. Kubo reads the limits from the IPFS config file.\n\n**Note:** go-libp2p still implements the [connection manager](https://github.com/libp2p/go-libp2p/tree/master/p2p/net/connmgr) mentioned above. The connection manager is a component independent of the resource manager, which aims to keep the number of libp2p connections between a low and a high watermark. When modifying connection limits, it\u2019s advantageous to keep the configuration of these components consistent, i.e., when setting a limit of N concurrent connections in the resource manager, the high watermark should be at most (and ideally slightly less) than N.\n\n### Workarounds\nAlthough there are no workarounds within go-libp2p, some range of attacks can be mitigated using OS tools (like manually blocking malicious peers using `iptables` or `ufw` ) or making use of a load balancer in front of libp2p nodes.\n\nHowever these require direct action \u0026 responsibility on your part and are no substitutes for upgrading go-libp2p. Therefore, we highly recommend upgrading your go-libp2p version for the way it enables tighter scoped limits and provides visibility into and easier reasoning about go-libp2p resource utilization.\n\n### References\nPlease see our DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/. \n\nPlease see the related disclosure for rust-libp2p: https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8 and js-libp2p: https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv\n\n#### For more information\n\nIf you have any questions or comments about this advisory email us at [security@libp2p.io](mailto:security@libp2p.io)",
  "id": "GHSA-j7qp-mfxf-8xjw",
  "modified": "2023-02-14T21:25:56Z",
  "published": "2022-12-07T23:13:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
    },
    {
      "type": "WEB",
      "url": "https://docs.libp2p.io/reference/dos-mitigation"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/libp2p/go-libp2p"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-1148"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "libp2p DoS vulnerability from lack of resource management"
}

FKIE_CVE-2022-23492

Vulnerability from fkie_nvd - Published: 2022-12-08 01:15 - Updated: 2024-11-21 06:48

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://docs.libp2p.io/reference/dos-mitigation/	Vendor Advisory
security-advisories@github.com	https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw	Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://docs.libp2p.io/reference/dos-mitigation/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw	Mitigation, Third Party Advisory

Impacted products

	Vendor	Product	Version
	protocol	libp2p	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "DC28B9D1-484A-4395-BDF7-C238C07EB7C1",
              "versionEndExcluding": "0.18.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks. "
    },
    {
      "lang": "es",
      "value": "go-libp2p es la implementaci\u00f3n oficial de libp2p en el lenguaje de programaci\u00f3n Go. La versi\u00f3n `0.18.0` y anteriores de go-libp2p son vulnerables a ataques de agotamiento de recursos dirigidos. Estos ataques tienen como objetivo la gesti\u00f3n de conexi\u00f3n, flujo, pares y memoria de libp2p. Un atacante puede provocar la asignaci\u00f3n de grandes cantidades de memoria, lo que en \u00faltima instancia lleva a que el sistema operativo del host elimine el proceso. Si bien un administrador de conexiones encargado de mantener la cantidad de conexiones dentro de los l\u00edmites manejables ha sido parte de go-libp2p, este componente fue dise\u00f1ado para manejar la rotaci\u00f3n regular de pares, no un ataque de agotamiento de recursos dirigido. Se recomienda a los usuarios que actualicen su versi\u00f3n de go-libp2p a la versi\u00f3n `0.18.1` o m\u00e1s reciente. Los usuarios que no puedan actualizar pueden consultar la p\u00e1gina de mitigaci\u00f3n de Denegaci\u00f3n de Servicio (DoS) (dos) para obtener m\u00e1s informaci\u00f3n sobre c\u00f3mo incorporar estrategias de mitigaci\u00f3n, monitorizar su aplicaci\u00f3n y responder a los ataques."
    }
  ],
  "id": "CVE-2022-23492",
  "lastModified": "2024-11-21T06:48:40.450",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-12-08T01:15:09.697",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://docs.libp2p.io/reference/dos-mitigation/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://docs.libp2p.io/reference/dos-mitigation/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-23492 (GCVE-0-2022-23492)

GSD-2022-23492

GHSA-J7QP-MFXF-8XJW

Impact

Patches (What to do as a go-libp2p consumer:)

Examples

Workarounds

References

For more information

FKIE_CVE-2022-23492

Tags

Sightings

Nomenclature