CVE-2023-23626

2023-02-0921:15:11

CWE-1284

CWE-754

[email protected]

web.nvd.nist.gov

go-bitfield

go language

performant

package

security

cve-2023-23626

vulnerability

upgrade

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

36.1%

JSON

go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of NewBitfield and FromBytes functions, an attacker can trigger panics. This happen when the size is a not a multiple of 8 or is negative. There were already a note in the NewBitfield documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that size is a multiple of 8 before calling NewBitfield or FromBytes.

Affected configurations

Vulners

NVD

Node

ipfsgo-ipfs-depRange<1.1.0

VendorProductVersionCPE
ipfsgo\-ipfs\-dep*cpe:2.3:a:ipfs:go\-ipfs\-dep:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ipfs	go\-ipfs\-dep	*	cpe:2.3:a:ipfs:go\-ipfs\-dep::::::::

CNA Affected

[
  {
    "vendor": "ipfs",
    "product": "go-bitfield",
    "versions": [
      {
        "version": "< 1.1.0",
        "status": "affected"
      }
    ]
  }
]