180 matches found
Code injection
An issue was discovered in IPFS aka go-ipfs 0.4.23. An attacker can generate ephemeral identities Sybils and leverage the IPFS connection management reputation system to poison other nodes' routing tables, eclipsing the nodes that are the target of the attack from the rest of the network. Later...
CVE-2020-10937
An issue was discovered in IPFS aka go-ipfs 0.4.23. An attacker can generate ephemeral identities Sybils and leverage the IPFS connection management reputation system to poison other nodes' routing tables, eclipsing the nodes that are the target of the attack from the rest of the network. Later...
CVE-2020-10937
CVE-2020-10937 affects IPFS (go-ipfs) 0.4.23. An attacker can generate ephemeral identities (Sybils) and abuse the IPFS connection management reputation system to poison routing tables, allowing eclipse of target nodes from the network. The primary details in the sources indicate this is a networ...
GHSA-6FCR-9H9G-23FQ Denial of Service in ipfs-bitswap
Versions of ipfs-bitswap prior to 0.24.1 are vulnerable to Denial of Service DoS. The package put unwanted blocks in the blockstore, which could be used to exhaust system resources in specific conditions. Recommendation Upgrade to version 0.24.1 or later...
Denial of Service in ipfs-bitswap
Versions of ipfs-bitswap prior to 0.24.1 are vulnerable to Denial of Service DoS. The package put unwanted blocks in the blockstore, which could be used to exhaust system resources in specific conditions. Recommendation Upgrade to version 0.24.1 or later...
ipfs:ipfs_ds_flatfs: Crash with empty stacktrace
Detailed Report: https://oss-fuzz.com/testcase?key=5141448788541440 Project: ipfs Fuzzing Engine: libFuzzer Fuzz Target: ipfsdsflatfs Job Type: libfuzzerasanipfs Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00001c3161ef Crash State: NULL Sanitizer: address ASAN Recommended Securit...
ipfs:ipfs_ds_flatfs: Crash with empty stacktrace
Detailed Report: https://oss-fuzz.com/testcase?key=5745157048369152 Project: ipfs Fuzzing Engine: libFuzzer Fuzz Target: ipfsdsflatfs Job Type: libfuzzerasanipfs Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00003a0bd224 Crash State: NULL Sanitizer: address ASAN Recommended Securit...
Denial Of Service (DoS)
ipfs-bitswap is vulnerable to denial of service DoS. The library does not ignore the unwanted blocks from the block store during the invocation of multiple functions, allowing a malicious user to cause an application crash...
ipfs:ipfs_ds_badger2: Crash with empty stacktrace
Detailed Report: https://oss-fuzz.com/testcase?key=4913800225751040 Project: ipfs Fuzzing Engine: libFuzzer Fuzz Target: ipfsdsbadger2 Job Type: libfuzzerasanipfs Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000201320 Crash State: NULL Sanitizer: address ASAN Recommended Securi...
ipfs:ipfs_ds_flatfs: Null-dereference READ in _cgo_try_pthread_create
Detailed Report: https://oss-fuzz.com/testcase?key=5714274837331968 Project: ipfs Fuzzing Engine: libFuzzer Fuzz Target: ipfsdsflatfs Job Type: libfuzzerasanipfs Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: cgotrypthreadcreate Sanitizer: address...
Denial of Service
Overview Versions of ipfs-bitswap prior to 0.24.1 are vulnerable to Denial of Service DoS. The package put unwanted blocks in the blockstore, which could be used to exhaust system resources in specific conditions. Recommendation Upgrade to version 0.24.1 or later. References - GitHub PR - Snyk...
@dapp-stack/ipfs (>=0.1.0 <=0.5.0), @dapp-stack/scripts (>=0.1.0 <=0.3.0) +6 more potentially affected by CVE-2016-10563 via go-ipfs-dep (>=0.4.0-1 <=0.4.3-2)
go-ipfs-dep NPM version =0.4.0-1, =0.1.0, =0.1.0, =0.1.0, =1.0.2, =1.0.0, =0.4.0-hacky2, =0.9.0, =1.0.0, =1.6.0 Source cves: CVE-2016-10563 Source advisory: OSV:GHSA-G3XP-V2FF-X5C3...
GHSA-G3XP-V2FF-X5C3 Downloads Resources over HTTP in go-ipfs-dep
Affected versions of go-ipfs-deps insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the...
Downloads Resources over HTTP in go-ipfs-dep
Affected versions of go-ipfs-deps insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the...
CVE-2016-10563
During the installation process, the go-ipfs-deps module before 0.4.4 insecurely downloads resources over HTTP. This allows for a MITM attack to compromise the integrity of the resources used by this module and could allow for further compromise...
Design/Logic Flaw
During the installation process, the go-ipfs-deps module before 0.4.4 insecurely downloads resources over HTTP. This allows for a MITM attack to compromise the integrity of the resources used by this module and could allow for further compromise...
CVE-2016-10563
During the installation process, the go-ipfs-deps module before 0.4.4 insecurely downloads resources over HTTP. This allows for a MITM attack to compromise the integrity of the resources used by this module and could allow for further compromise...
CVE-2016-10563
CVE-2016-10563 concerns the go-ipfs-deps package, where versions before 0.4.4 download resources over HTTP. The root cause is insecure HTTP downloads that enable a MITM attacker to modify or read resources, compromising integrity and potentially enabling further impact, including remote code exec...
Arbitrary Redirects
github.com/ipfs/go-ipfs is vulnerable to arbitrary redirects. There is no validation of the X-Ipfs-Path-Prefix header which allows attackers to pass in arbitrary prefixes resulting in arbitrary redirects and directory listings...
Man In The Middle (MitM)
go-ipfs-dep is vulnerable to man-in-the-middle MitM attacks. This is because the library downloads binaries via HTTP, allowing MitM attacks. It may also cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or...