CVE-2023-25568

2023-05-1014:15:32

CWE-770

CWE-400

GitHub_M

web.nvd.nist.gov

boxo

go-libipfs

ipfs applications

implementation

cve-2023-25568

denial of service

dos

memory allocation

bitswap server

security issue

patch

nvd

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

EPSS

0.002

Percentile

53.3%

JSON

Boxo, formerly known as go-libipfs, is a library for building IPFS applications and implementations. In versions 0.4.0 and 0.5.0, if an attacker is able allocate arbitrary many bytes in the Bitswap server, those allocations are lasting even if the connection is closed. This affects users accepting untrusted connections with the Bitswap server and also affects users using the old API stubs at github.com/ipfs/go-libipfs/bitswap because users then transitively import github.com/ipfs/go-libipfs/bitswap/server. Boxo versions 0.6.0 and 0.4.1 contain a patch for this issue. As a workaround, those who are using the stub object at github.com/ipfs/go-libipfs/bitswap not taking advantage of the features provided by the server can refactor their code to use the new split API that will allow them to run in a client only mode: github.com/ipfs/go-libipfs/bitswap/client.

Affected configurations

Nvd

Node

protocolboxoMatch0.4.0go

protocolboxoMatch0.5.0go

VendorProductVersionCPE
protocolboxo0.4.0cpe:2.3:a:protocol:boxo:0.4.0:*:*:*:*:go:*:*
protocolboxo0.5.0cpe:2.3:a:protocol:boxo:0.5.0:*:*:*:*:go:*:*

Vendor	Product	Version	CPE
protocol	boxo	0.4.0	cpe:2.3:a:protocol:boxo:0.4.0:::::go::
protocol	boxo	0.5.0	cpe:2.3:a:protocol:boxo:0.5.0:::::go::

CNA Affected

[
  {
    "vendor": "ipfs",
    "product": "boxo",
    "versions": [
      {
        "version": "0.4.0",
        "status": "affected"
      },
      {
        "version": "0.5.0",
        "status": "affected"
      }
    ]
  }
]