Vulnerability Report: GO-2022-1155
- CVE-2022-23495, GHSA-x39j-h85h-3f46
- Affects: github.com/ipfs/go-merkledag
- Published: Dec 22, 2022
- Modified: Jun 12, 2023
A ProtoNode may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don't allow for error returns. Additionally, use of the ProtoNode.SetCidBuilder() method to set non-functioning CidBuilder (such as one that refers to a multihash where an implementation of that hash function is not available) may cause the same methods to panic as a new CID is required but cannot be created.
For detailed information about this vulnerability, visit https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46.
Affected Packages
-
PathVersionsSymbols
-
from v0.4.0 before v0.8.1
31 affected symbols
- ProtoNode.AddNodeLink
- ProtoNode.AddRawLink
- ProtoNode.AsBool
- ProtoNode.AsBytes
- ProtoNode.AsFloat
- ProtoNode.AsInt
- ProtoNode.AsLink
- ProtoNode.AsString
- ProtoNode.Cid
- ProtoNode.EncodeProtobuf
- ProtoNode.IsAbsent
- ProtoNode.IsNull
- ProtoNode.Kind
- ProtoNode.Length
- ProtoNode.ListIterator
- ProtoNode.Loggable
- ProtoNode.LookupByIndex
- ProtoNode.LookupByNode
- ProtoNode.LookupBySegment
- ProtoNode.LookupByString
- ProtoNode.MapIterator
- ProtoNode.Marshal
- ProtoNode.Multihash
- ProtoNode.RawData
- ProtoNode.SetCidBuilder
- ProtoNode.SetLinks
- ProtoNode.Size
- ProtoNode.Stat
- ProtoNode.String
- ProtoNode.UnmarshalJSON
- ProtoNode.UpdateNodeLink
Aliases
References
- https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46
- https://github.com/ipfs/kubo/issues/9297
- https://github.com/ipfs/go-merkledag/issues/90
- https://github.com/ipfs/go-merkledag/pull/91
- https://github.com/ipfs/go-merkledag/pull/92
- https://github.com/ipfs/go-merkledag/pull/93
- https://vuln.go.dev/ID/GO-2022-1155.json
Credits
- @mrd0ll4r (https://github.com/mrd0ll4r)
Feedback
See anything missing or incorrect?
Suggest an edit to this report.