blob: a1776f6a7fa1c1a2207c3bee10c67af6f63a1dd1 [file] [log] [blame]
id: GO-2023-2000
modules:
- module: github.com/libp2p/go-libp2p
versions:
- fixed: 0.27.8
- introduced: 0.28.0
fixed: 0.28.2
- introduced: 0.29.0
fixed: 0.29.1
vulnerable_at: 0.29.0
packages:
- package: github.com/libp2p/go-libp2p/core/crypto
symbols:
- GenerateRSAKeyPair
- UnmarshalRsaPrivateKey
- UnmarshalRsaPublicKey
derived_symbols:
- GenerateKeyPair
- GenerateKeyPairWithReader
summary: Large RSA keys can cause high resource usage in github.com/libp2p/go-libp2p
description: |-
Large RSA keys can lead to resource exhaustion attacks.
With fix, the size of RSA keys transmitted during handshakes is restricted to <=
8192 bits.
cves:
- CVE-2023-39533
ghsas:
- GHSA-876p-8259-xjgg
references:
- advisory: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-876p-8259-xjgg
- report: https://go.dev/issue/61460
- fix: https://github.com/libp2p/go-libp2p/commit/0cce607219f3710addc7e18672cffd1f1d912fbb