go-ipld-prime json codec may panic if asked to encode bytes
CVE-2023-22460

7.5HIGH

Key Information:

Vendor

Ipld

Status
Go-ipld-prime
Vendor
CVE Published:
4 January 2023

What is CVE-2023-22460?

An issue in go-ipld-prime affects the JSON encoding of data containing a Bytes kind Node. The encoder panics when it encounters Bytes tokens, which are not valid for JSON encoding. This vulnerability impacts specific versions utilizing the 'json' codec, while 'dag-json' remains unaffected. Users are encouraged to upgrade to version 0.19.0 or switch to 'dag-json' for encoding bytes to avoid this issue.

Affected Version(s)

go-ipld-prime < 0.19.0

References

https://github.com/ipld/go-ipld-prime/security/advisories...
x_refsource_CONFIRM
https://github.com/ipld/go-ipld-prime/pull/472
x_refsource_MISC
https://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.