blob: 518f5a113275754b387f3ce078ddcbaa8a8fafdd [file] [log] [blame]
id: GO-2023-1269
modules:
- module: github.com/ipld/go-ipld-prime
versions:
- fixed: 0.19.0
vulnerable_at: 0.18.0
packages:
- package: github.com/ipld/go-ipld-prime/codec/dagjson
symbols:
- Marshal
derived_symbols:
- Encode
- EncodeOptions.Encode
summary: Panic in encoding in github.com/ipld/go-ipld-prime
description: |-
Encoding data using the 'json' codec which contains a 'Bytes' type Node will
cause the encoder to panic. The decoder is not impacted. If the codec is used to
encode user supplied data, this may be used as a vector for a denial of service
attack.
cves:
- CVE-2023-22460
ghsas:
- GHSA-c653-6hhg-9x92
credits:
- '@hacdias'
references:
- advisory: https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92
- fix: https://github.com/ipld/go-ipld-prime/pull/472
review_status: REVIEWED