| modules: |
| - module: github.com/ipld/go-codec-dagpb |
| versions: |
| - fixed: 1.3.1 |
| vulnerable_at: 1.3.0 |
| packages: |
| - package: github.com/ipld/go-codec-dagpb |
| symbols: |
| - DecodeBytes |
| derived_symbols: |
| - Decode |
| - Decoder |
| - Unmarshal |
| description: The dag-pb codec can panic when decoding invalid blocks. |
| published: 2022-07-01T20:08:04Z |
| ghsas: |
| - GHSA-g3vv-g2j5-45f2 |
| references: |
| - fix: https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57 |
| cve_metadata: |
| id: CVE-2022-2584 |
| cwe: 'CWE-119: Improper Restriction of Operations within the Bounds of a Memory |
| Buffer' |