CVE - CVE-2022-23495

CVE-ID
CVE-2022-23495	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
go-merkledag implements the 'DAGService' interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don't allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://en.wikipedia.org/wiki/Directed_acyclic_graph URL:https://en.wikipedia.org/wiki/Directed_acyclic_graph MISC:https://github.com/ipfs/go-merkledag/issues/90 URL:https://github.com/ipfs/go-merkledag/issues/90 MISC:https://github.com/ipfs/go-merkledag/pull/91 URL:https://github.com/ipfs/go-merkledag/pull/91 MISC:https://github.com/ipfs/go-merkledag/pull/92 URL:https://github.com/ipfs/go-merkledag/pull/92 MISC:https://github.com/ipfs/go-merkledag/pull/93 URL:https://github.com/ipfs/go-merkledag/pull/93 MISC:https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0 URL:https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0 MISC:https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1 URL:https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1 MISC:https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46 URL:https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46 MISC:https://github.com/ipfs/kubo/issues/9297 URL:https://github.com/ipfs/kubo/issues/9297
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20220119	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20220119)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)