CVE-2023-23625

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-23625
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-23625.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-23625
Aliases
Related
Published
2023-02-09T21:15:11Z
Modified
2025-01-08T14:41:59.662019Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.

References

Affected packages

Git / github.com/ipfs/go-unixfs

Affected ranges

Type
GIT
Repo
https://github.com/ipfs/go-unixfs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

gx/v1.*

gx/v1.0.0
gx/v1.0.1
gx/v1.0.10
gx/v1.0.11
gx/v1.0.12
gx/v1.0.13
gx/v1.0.14
gx/v1.0.15
gx/v1.0.16
gx/v1.0.2
gx/v1.0.3
gx/v1.0.4
gx/v1.0.5
gx/v1.0.6
gx/v1.0.7
gx/v1.0.8
gx/v1.0.9
gx/v1.1.0
gx/v1.1.1
gx/v1.1.10
gx/v1.1.11
gx/v1.1.12
gx/v1.1.13
gx/v1.1.14
gx/v1.1.15
gx/v1.1.16
gx/v1.1.2
gx/v1.1.3
gx/v1.1.4
gx/v1.1.5
gx/v1.1.6
gx/v1.1.7
gx/v1.1.8
gx/v1.1.9
gx/v1.2.0
gx/v1.2.1
gx/v1.2.10
gx/v1.2.11
gx/v1.2.2
gx/v1.2.3
gx/v1.2.4
gx/v1.2.5
gx/v1.2.6
gx/v1.2.7
gx/v1.2.8
gx/v1.2.9

v0.*

v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.1.0
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.3.0
v0.3.1
v0.4.0
v0.4.2