cvelistv5 - cve-2022-23495

CVE-2022-23495 (GCVE-0-2022-23495)

Vulnerability from cvelistv5 – Published: 2022-12-08 21:25 – Updated: 2025-04-23 16:31

Summary

go-merkledag implements the 'DAGService' interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don't allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-755 - Improper Handling of Exceptional Conditions

Assigner

GitHub_M

References

URL

Tags

	https://github.com/ipfs/go-merkledag/security/adv…	x_refsource_CONFIRM
	https://github.com/ipfs/go-merkledag/issues/90	x_refsource_MISC
	https://github.com/ipfs/kubo/issues/9297	x_refsource_MISC
	https://github.com/ipfs/go-merkledag/pull/91	x_refsource_MISC
	https://github.com/ipfs/go-merkledag/pull/92	x_refsource_MISC
	https://github.com/ipfs/go-merkledag/pull/93	x_refsource_MISC
	https://en.wikipedia.org/wiki/Directed_acyclic_graph	x_refsource_MISC
	https://github.com/ipfs/go-merkledag/releases/tag…	x_refsource_MISC
	https://github.com/ipfs/go-merkledag/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ipfs	go-merkledag	Affected: >= 0.4.0, < 0.8.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:43:46.142Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46"
          },
          {
            "name": "https://github.com/ipfs/go-merkledag/issues/90",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ipfs/go-merkledag/issues/90"
          },
          {
            "name": "https://github.com/ipfs/kubo/issues/9297",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ipfs/kubo/issues/9297"
          },
          {
            "name": "https://github.com/ipfs/go-merkledag/pull/91",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ipfs/go-merkledag/pull/91"
          },
          {
            "name": "https://github.com/ipfs/go-merkledag/pull/92",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ipfs/go-merkledag/pull/92"
          },
          {
            "name": "https://github.com/ipfs/go-merkledag/pull/93",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ipfs/go-merkledag/pull/93"
          },
          {
            "name": "https://en.wikipedia.org/wiki/Directed_acyclic_graph",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://en.wikipedia.org/wiki/Directed_acyclic_graph"
          },
          {
            "name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0"
          },
          {
            "name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23495",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:48:01.494241Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:31:04.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-merkledag",
          "vendor": "ipfs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.4.0, \u003c 0.8.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "go-merkledag implements the \u0027DAGService\u0027 interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don\u0027t allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-755",
              "description": "CWE-755: Improper Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-08T21:25:40.257Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46"
        },
        {
          "name": "https://github.com/ipfs/go-merkledag/issues/90",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ipfs/go-merkledag/issues/90"
        },
        {
          "name": "https://github.com/ipfs/kubo/issues/9297",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ipfs/kubo/issues/9297"
        },
        {
          "name": "https://github.com/ipfs/go-merkledag/pull/91",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ipfs/go-merkledag/pull/91"
        },
        {
          "name": "https://github.com/ipfs/go-merkledag/pull/92",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ipfs/go-merkledag/pull/92"
        },
        {
          "name": "https://github.com/ipfs/go-merkledag/pull/93",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ipfs/go-merkledag/pull/93"
        },
        {
          "name": "https://en.wikipedia.org/wiki/Directed_acyclic_graph",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://en.wikipedia.org/wiki/Directed_acyclic_graph"
        },
        {
          "name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0"
        },
        {
          "name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1"
        }
      ],
      "source": {
        "advisory": "GHSA-x39j-h85h-3f46",
        "discovery": "UNKNOWN"
      },
      "title": "ProtoNode may be modified such that common method calls may panic in ipfs/go-merkledag"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23495",
    "datePublished": "2022-12-08T21:25:40.257Z",
    "dateReserved": "2022-01-19T21:23:53.766Z",
    "dateUpdated": "2025-04-23T16:31:04.725Z",
    "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:protocol:go-merkledag:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.4.0\", \"versionEndExcluding\": \"0.8.1\", \"matchCriteriaId\": \"02537CFA-1940-4266-BAB5-D06516862DA8\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"go-merkledag implements the \u0027DAGService\u0027 interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don\u0027t allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.\\n\"}, {\"lang\": \"es\", \"value\": \"go-merkledag implementa la interfaz \u0027DAGService\u0027 y agrega dos tipos de nodos ipld, Protobuf y Raw para el proyecto ipfs. Un `ProtoNode` puede modificarse de tal manera que cause varios errores de codificaci\\u00f3n que provocar\\u00e1n p\\u00e1nico en llamadas a m\\u00e9todos comunes que no permiten devoluciones de errores. Un `ProtoNode` solo deber\\u00eda poder codificar en DAG-PB v\\u00e1lido; intentar codificar formularios DAG-PB no v\\u00e1lidos generar\\u00e1 un error en el c\\u00f3dec. La manipulaci\\u00f3n de un \\\"ProtoNodo\\\" existente (reci\\u00e9n creado o decodificado) utilizando los m\\u00e9todos modificadores no tuvo en cuenta ciertos estados que colocar\\u00edan el \\\"ProtoNodo\\\" en una forma no codificable. Debido a la conformidad con [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) y [` github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, ciertos m\\u00e9todos, que internamente requieren una re-encode si el estado ha cambiado, entrar\\u00e1 en p\\u00e1nico debido a la imposibilidad de devolver un error. Este problema se ha solucionado en varias solicitudes de extracci\\u00f3n. Se recomienda a los usuarios que actualicen a la versi\\u00f3n 0.8.1 para obtener un conjunto completo de correcciones. Los usuarios que no puedan actualizar pueden intentar mitigar este problema desinfectando las entradas cuando permiten que las entradas del usuario establezcan un nuevo `CidBuilder` en un `ProtoNode` y sanitizando los valores de `Tsize` (`Link#Size`) de modo que sean razonables. El tama\\u00f1o de bytes para sub-DAG se deriva de la entrada del usuario.\"}]",
      "id": "CVE-2022-23495",
      "lastModified": "2024-11-21T06:48:40.890",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2022-12-08T22:15:10.233",
      "references": "[{\"url\": \"https://en.wikipedia.org/wiki/Directed_acyclic_graph\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Technical Description\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/issues/90\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/pull/91\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/pull/92\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/pull/93\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/kubo/issues/9297\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://en.wikipedia.org/wiki/Directed_acyclic_graph\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Technical Description\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/issues/90\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/pull/91\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/pull/92\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/pull/93\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipfs/kubo/issues/9297\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-755\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-252\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-23495\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-12-08T22:15:10.233\",\"lastModified\":\"2024-11-21T06:48:40.890\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"go-merkledag implements the \u0027DAGService\u0027 interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don\u0027t allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.\\n\"},{\"lang\":\"es\",\"value\":\"go-merkledag implementa la interfaz \u0027DAGService\u0027 y agrega dos tipos de nodos ipld, Protobuf y Raw para el proyecto ipfs. Un `ProtoNode` puede modificarse de tal manera que cause varios errores de codificaci\u00f3n que provocar\u00e1n p\u00e1nico en llamadas a m\u00e9todos comunes que no permiten devoluciones de errores. Un `ProtoNode` solo deber\u00eda poder codificar en DAG-PB v\u00e1lido; intentar codificar formularios DAG-PB no v\u00e1lidos generar\u00e1 un error en el c\u00f3dec. La manipulaci\u00f3n de un \\\"ProtoNodo\\\" existente (reci\u00e9n creado o decodificado) utilizando los m\u00e9todos modificadores no tuvo en cuenta ciertos estados que colocar\u00edan el \\\"ProtoNodo\\\" en una forma no codificable. Debido a la conformidad con [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) y [` github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, ciertos m\u00e9todos, que internamente requieren una re-encode si el estado ha cambiado, entrar\u00e1 en p\u00e1nico debido a la imposibilidad de devolver un error. Este problema se ha solucionado en varias solicitudes de extracci\u00f3n. Se recomienda a los usuarios que actualicen a la versi\u00f3n 0.8.1 para obtener un conjunto completo de correcciones. Los usuarios que no puedan actualizar pueden intentar mitigar este problema desinfectando las entradas cuando permiten que las entradas del usuario establezcan un nuevo `CidBuilder` en un `ProtoNode` y sanitizando los valores de `Tsize` (`Link#Size`) de modo que sean razonables. El tama\u00f1o de bytes para sub-DAG se deriva de la entrada del usuario.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-755\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-252\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:protocol:go-merkledag:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.4.0\",\"versionEndExcluding\":\"0.8.1\",\"matchCriteriaId\":\"02537CFA-1940-4266-BAB5-D06516862DA8\"}]}]}],\"references\":[{\"url\":\"https://en.wikipedia.org/wiki/Directed_acyclic_graph\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/issues/90\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/pull/91\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/pull/92\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/pull/93\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/kubo/issues/9297\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://en.wikipedia.org/wiki/Directed_acyclic_graph\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/issues/90\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/pull/91\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/pull/92\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/pull/93\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipfs/kubo/issues/9297\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}

GSD-2022-23495

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-23495

Aliases

CVE-2022-23495

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-23495",
    "id": "GSD-2022-23495"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-23495"
      ],
      "details": "go-merkledag implements the \u0027DAGService\u0027 interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don\u0027t allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.",
      "id": "GSD-2022-23495",
      "modified": "2023-12-13T01:19:35.420440Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-23495",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "go-merkledag",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 0.4.0, \u003c 0.8.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "ipfs"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "go-merkledag implements the \u0027DAGService\u0027 interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don\u0027t allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-755",
                "lang": "eng",
                "value": "CWE-755: Improper Handling of Exceptional Conditions"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46",
            "refsource": "MISC",
            "url": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46"
          },
          {
            "name": "https://github.com/ipfs/go-merkledag/issues/90",
            "refsource": "MISC",
            "url": "https://github.com/ipfs/go-merkledag/issues/90"
          },
          {
            "name": "https://github.com/ipfs/kubo/issues/9297",
            "refsource": "MISC",
            "url": "https://github.com/ipfs/kubo/issues/9297"
          },
          {
            "name": "https://github.com/ipfs/go-merkledag/pull/91",
            "refsource": "MISC",
            "url": "https://github.com/ipfs/go-merkledag/pull/91"
          },
          {
            "name": "https://github.com/ipfs/go-merkledag/pull/92",
            "refsource": "MISC",
            "url": "https://github.com/ipfs/go-merkledag/pull/92"
          },
          {
            "name": "https://github.com/ipfs/go-merkledag/pull/93",
            "refsource": "MISC",
            "url": "https://github.com/ipfs/go-merkledag/pull/93"
          },
          {
            "name": "https://en.wikipedia.org/wiki/Directed_acyclic_graph",
            "refsource": "MISC",
            "url": "https://en.wikipedia.org/wiki/Directed_acyclic_graph"
          },
          {
            "name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0",
            "refsource": "MISC",
            "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0"
          },
          {
            "name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1",
            "refsource": "MISC",
            "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-x39j-h85h-3f46",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=v0.4.0 \u003cv0.8.1",
          "affected_versions": "All versions starting from 0.4.0 before 0.8.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-252",
            "CWE-937"
          ],
          "date": "2022-12-12",
          "description": "go-merkledag implements the \u0027DAGService\u0027 interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don\u0027t allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods does not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.",
          "fixed_versions": [
            "v0.8.1"
          ],
          "identifier": "CVE-2022-23495",
          "identifiers": [
            "CVE-2022-23495",
            "GHSA-x39j-h85h-3f46",
            "GMS-2022-8031"
          ],
          "not_impacted": "",
          "package_slug": "go/github.com/ipfs/go-merkledag",
          "pubdate": "2022-12-08",
          "solution": "Upgrade to version 0.8.1 or above.",
          "title": "Unchecked Return Value",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-23495",
            "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1",
            "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0",
            "https://github.com/ipfs/go-merkledag/pull/93",
            "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46",
            "https://github.com/ipfs/go-merkledag/pull/91",
            "https://github.com/ipfs/kubo/issues/9297",
            "https://github.com/ipfs/go-merkledag/pull/92",
            "https://github.com/ipfs/go-merkledag/issues/90",
            "https://en.wikipedia.org/wiki/Directed_acyclic_graph",
            "https://github.com/advisories/GHSA-x39j-h85h-3f46"
          ],
          "uuid": "7e439eff-c941-4087-8dbf-dd30cdb984f9",
          "versions": [
            {
              "commit": {
                "sha": "8794146d52c211b8af0456e734a248649e636be0",
                "tags": [
                  "v0.4.0"
                ],
                "timestamp": "20210812152823"
              },
              "number": "v0.4.0"
            },
            {
              "commit": {
                "sha": "503ecaa8b898d65ddaee92ba8c6ae60b824004c1",
                "tags": [
                  "v0.8.1"
                ],
                "timestamp": "20221123224113"
              },
              "number": "v0.8.1"
            }
          ]
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions starting from 0.4.0 before 0.8.1",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-12-08",
          "description": "A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don\u0027t allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the `github.com/ipfs/go-block-format` and `github.com/ipfs/go-ipld-format` interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. Additionally, use of the `ProtoNode#SetCidBuilder()` method to set a non-functioning `CidBuilder` (such as one that refers to a multihash where an implementation of that hash function is not available) may cause the same methods to panic as a new CID is required but cannot be created.",
          "fixed_versions": [
            "v0.8.1"
          ],
          "identifier": "GMS-2022-8031",
          "identifiers": [
            "GHSA-x39j-h85h-3f46",
            "GMS-2022-8031",
            "CVE-2022-23495"
          ],
          "not_impacted": "All versions before 0.4.0, all versions starting from 0.8.1",
          "package_slug": "go/github.com/ipfs/go-merkledag",
          "pubdate": "2022-12-08",
          "solution": "Upgrade to version 0.8.1 or above.",
          "title": "Duplicate of ./go/github.com/ipfs/go-merkledag/CVE-2022-23495.yml",
          "urls": [
            "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46",
            "https://github.com/ipfs/go-merkledag/issues/90",
            "https://github.com/ipfs/kubo/issues/9297",
            "https://github.com/ipfs/go-merkledag/pull/91",
            "https://github.com/ipfs/go-merkledag/pull/92",
            "https://github.com/ipfs/go-merkledag/pull/93",
            "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0",
            "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1",
            "https://github.com/advisories/GHSA-x39j-h85h-3f46"
          ],
          "uuid": "62b17fa7-5939-4c15-bc86-23e1a3d3cdf5",
          "versions": [
            {
              "commit": {
                "sha": "8794146d52c211b8af0456e734a248649e636be0",
                "tags": [
                  "v0.4.0"
                ],
                "timestamp": "20210812152823"
              },
              "number": "v0.4.0"
            },
            {
              "commit": {
                "sha": "503ecaa8b898d65ddaee92ba8c6ae60b824004c1",
                "tags": [
                  "v0.8.1"
                ],
                "timestamp": "20221123224113"
              },
              "number": "v0.8.1"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:protocol:go-merkledag:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.8.1",
                "versionStartIncluding": "0.4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-23495"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "go-merkledag implements the \u0027DAGService\u0027 interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don\u0027t allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-252"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1"
            },
            {
              "name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0"
            },
            {
              "name": "https://github.com/ipfs/go-merkledag/pull/93",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ipfs/go-merkledag/pull/93"
            },
            {
              "name": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46"
            },
            {
              "name": "https://github.com/ipfs/go-merkledag/pull/91",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ipfs/go-merkledag/pull/91"
            },
            {
              "name": "https://github.com/ipfs/kubo/issues/9297",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ipfs/kubo/issues/9297"
            },
            {
              "name": "https://github.com/ipfs/go-merkledag/pull/92",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ipfs/go-merkledag/pull/92"
            },
            {
              "name": "https://github.com/ipfs/go-merkledag/issues/90",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ipfs/go-merkledag/issues/90"
            },
            {
              "name": "https://en.wikipedia.org/wiki/Directed_acyclic_graph",
              "refsource": "MISC",
              "tags": [
                "Technical Description",
                "Third Party Advisory"
              ],
              "url": "https://en.wikipedia.org/wiki/Directed_acyclic_graph"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-12-12T17:46Z",
      "publishedDate": "2022-12-08T22:15Z"
    }
  }
}

GHSA-X39J-H85H-3F46

Vulnerability from github – Published: 2022-12-08 16:12 – Updated: 2022-12-09 15:21

Summary

go-merkledag's ProtoNode may be modified such that common method calls may panic

Details

Impact

A ProtoNode may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don't allow for error returns.

A ProtoNode should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) ProtoNode using the modifier methods did not account for certain states that would place the ProtoNode into an unencodeable form.

Due to conformance with the github.com/ipfs/go-block-format#Block and github.com/ipfs/go-ipld-format#Node interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error.

Additionally, use of the ProtoNode#SetCidBuilder() method to set a non-functioning CidBuilder (such as one that refers to a multihash where an implementation of that hash function is not available) may cause the same methods to panic as a new CID is required but cannot be created.

Patches

Releases involving fixes for this issue are v0.8.0 and v0.8.1. The recommended minimum version is v0.8.1.

Additional checks are performed on ProtoNode state changes to avoid the possibility of creating unencodeable forms, errors are returned where this is the case.
The builder passed in to SetCidBuilder() is inspected to attempt to determine if it is usable to generate CIDs, otherwise an error is returned.
The panics have been removed and replaced with default values (empty byte slice for RawData() and a default zero-bytes DAG-PB CID for methods involving CIDs).

Workarounds

These workarounds are available when using impacted versions to avoid panic conditions, and may be generally appropriate in order to provide meaningful feedback to users and avoid generating bad, or unexpected encoded data:

Sanitise inputs when allowing user-input to set a new CidBuilder on a ProtoNode.
Sanitise Tsize (Link#Size) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.

References

https://github.com/ipfs/kubo/issues/9297
https://github.com/ipfs/go-merkledag/issues/90
https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0
https://github.com/ipfs/go-merkledag/pull/91
https://github.com/ipfs/go-merkledag/pull/92
https://github.com/ipfs/go-merkledag/pull/93
https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1

Credit

Thanks to @mrd0ll4r for reporting the original error to Kubo!

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ipfs/go-merkledag"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.0"
            },
            {
              "fixed": "0.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-252",
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-08T16:12:26Z",
    "nvd_published_at": "2022-12-08T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don\u0027t allow for error returns.\n\nA `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form.\n\nDue to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error.\n\nAdditionally, use of the `ProtoNode#SetCidBuilder()` method to set a non-functioning `CidBuilder` (such as one that refers to a multihash where an implementation of that hash function is not available) may cause the same methods to panic as a new CID is required but cannot be created.\n\n### Patches\n\nReleases involving fixes for this issue are [v0.8.0](https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0) and [v0.8.1](https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1). The recommended minimum version is **v0.8.1**.\n\n* Additional checks are performed on `ProtoNode` state changes to avoid the possibility of creating unencodeable forms, errors are returned where this is the case.\n* The builder passed in to `SetCidBuilder()` is inspected to attempt to determine if it is usable to generate CIDs, otherwise an error is returned.\n* The panics have been removed and replaced with default values (empty byte slice for `RawData()` and a default zero-bytes DAG-PB CID for methods involving CIDs).\n\n### Workarounds\n\nThese workarounds are available when using impacted versions to avoid panic conditions, and may be generally appropriate in order to provide meaningful feedback to users and avoid generating bad, or unexpected encoded data:\n\n* Sanitise inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode`.\n* Sanitise `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.\n\n### References\n\n* https://github.com/ipfs/kubo/issues/9297\n* https://github.com/ipfs/go-merkledag/issues/90\n* https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0\n* https://github.com/ipfs/go-merkledag/pull/91\n* https://github.com/ipfs/go-merkledag/pull/92\n* https://github.com/ipfs/go-merkledag/pull/93\n* https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1\n\n\n### Credit\n\nThanks to [@mrd0ll4r](https://github.com/mrd0ll4r) for reporting the original error to Kubo!",
  "id": "GHSA-x39j-h85h-3f46",
  "modified": "2022-12-09T15:21:18Z",
  "published": "2022-12-08T16:12:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23495"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipfs/go-merkledag/issues/90"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipfs/kubo/issues/9297"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipfs/go-merkledag/pull/91"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipfs/go-merkledag/pull/92"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipfs/go-merkledag/pull/93"
    },
    {
      "type": "WEB",
      "url": "https://en.wikipedia.org/wiki/Directed_acyclic_graph"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ipfs/go-merkledag"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-1155"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "go-merkledag\u0027s ProtoNode may be modified such that common method calls may panic"
}

FKIE_CVE-2022-23495

Vulnerability from fkie_nvd - Published: 2022-12-08 22:15 - Updated: 2024-11-21 06:48

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://en.wikipedia.org/wiki/Directed_acyclic_graph	Technical Description, Third Party Advisory
security-advisories@github.com	https://github.com/ipfs/go-merkledag/issues/90	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/ipfs/go-merkledag/pull/91	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/ipfs/go-merkledag/pull/92	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/ipfs/go-merkledag/pull/93	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46	Third Party Advisory
security-advisories@github.com	https://github.com/ipfs/kubo/issues/9297	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://en.wikipedia.org/wiki/Directed_acyclic_graph	Technical Description, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ipfs/go-merkledag/issues/90	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ipfs/go-merkledag/pull/91	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ipfs/go-merkledag/pull/92	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ipfs/go-merkledag/pull/93	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ipfs/kubo/issues/9297	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	protocol	go-merkledag	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:protocol:go-merkledag:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "02537CFA-1940-4266-BAB5-D06516862DA8",
              "versionEndExcluding": "0.8.1",
              "versionStartIncluding": "0.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "go-merkledag implements the \u0027DAGService\u0027 interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don\u0027t allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.\n"
    },
    {
      "lang": "es",
      "value": "go-merkledag implementa la interfaz \u0027DAGService\u0027 y agrega dos tipos de nodos ipld, Protobuf y Raw para el proyecto ipfs. Un `ProtoNode` puede modificarse de tal manera que cause varios errores de codificaci\u00f3n que provocar\u00e1n p\u00e1nico en llamadas a m\u00e9todos comunes que no permiten devoluciones de errores. Un `ProtoNode` solo deber\u00eda poder codificar en DAG-PB v\u00e1lido; intentar codificar formularios DAG-PB no v\u00e1lidos generar\u00e1 un error en el c\u00f3dec. La manipulaci\u00f3n de un \"ProtoNodo\" existente (reci\u00e9n creado o decodificado) utilizando los m\u00e9todos modificadores no tuvo en cuenta ciertos estados que colocar\u00edan el \"ProtoNodo\" en una forma no codificable. Debido a la conformidad con [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) y [` github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, ciertos m\u00e9todos, que internamente requieren una re-encode si el estado ha cambiado, entrar\u00e1 en p\u00e1nico debido a la imposibilidad de devolver un error. Este problema se ha solucionado en varias solicitudes de extracci\u00f3n. Se recomienda a los usuarios que actualicen a la versi\u00f3n 0.8.1 para obtener un conjunto completo de correcciones. Los usuarios que no puedan actualizar pueden intentar mitigar este problema desinfectando las entradas cuando permiten que las entradas del usuario establezcan un nuevo `CidBuilder` en un `ProtoNode` y sanitizando los valores de `Tsize` (`Link#Size`) de modo que sean razonables. El tama\u00f1o de bytes para sub-DAG se deriva de la entrada del usuario."
    }
  ],
  "id": "CVE-2022-23495",
  "lastModified": "2024-11-21T06:48:40.890",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-12-08T22:15:10.233",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://en.wikipedia.org/wiki/Directed_acyclic_graph"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/issues/90"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/pull/91"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/pull/92"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/pull/93"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/kubo/issues/9297"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://en.wikipedia.org/wiki/Directed_acyclic_graph"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/issues/90"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/pull/91"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/pull/92"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/pull/93"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipfs/kubo/issues/9297"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-755"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-252"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-23495 (GCVE-0-2022-23495)

GSD-2022-23495

GHSA-X39J-H85H-3F46

Impact

Patches

Workarounds

References

Credit

FKIE_CVE-2022-23495

Tags

Sightings

Nomenclature