CVE-2023-6245

2023-12-0815:15:08

CWE-1288

CWE-168

CWE-20

CWE-835

6b35d637-e00f-4228-858c-b20ad6e1d07b

web.nvd.nist.gov

cve-2023-6245

candid library

denial of service

dos

rust

decoding loop

canister

vulnerability

nvd

information security

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

49.6%

JSON

The Candid library causes a Denial of Service while
parsing a specially crafted payload with ‘empty’ data type. For example,
if the payload is record { * ; empty } and the canister interface expects record { * } then the Rust candid decoder treats empty as an extra field required by the type. The problem with the type empty is that the candid Rust library wrongly categorizes empty as a recoverable error when skipping the field and thus causing an infinite decoding loop.

Canisters using affected versions of candid
are exposed to denial of service by causing the decoding to run
indefinitely until the canister traps due to reaching maximum
instruction limit per execution round. Repeated exposure to the payload
will result in degraded performance of the canister. Note: Canisters written in Motoko are unaffected.

Affected configurations

NVD

Node

dfinitycandidRange0.9.0–0.9.10rust

CPENameOperatorVersion
dfinity:candiddfinity candidlt0.9.10

CPE	Name	Operator	Version
dfinity:candid	dfinity candid	lt	0.9.10

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Candid",
    "repo": "https://github.com/dfinity/candid",
    "vendor": "Internet Computer",
    "versions": [
      {
        "lessThan": "0.9.10",
        "status": "affected",
        "version": "0.9.0",
        "versionType": "0.0.0"
      }
    ]
  }
]