| id: GO-2022-0503 |
| modules: |
| - module: github.com/ipld/go-car |
| versions: |
| - fixed: 0.4.0 |
| vulnerable_at: 0.3.3 |
| packages: |
| - package: github.com/ipld/go-car |
| - package: github.com/ipld/go-car/util |
| - module: github.com/ipld/go-car/v2 |
| versions: |
| - introduced: 2.0.0 |
| - fixed: 2.4.0 |
| vulnerable_at: 2.3.0 |
| packages: |
| - package: github.com/ipld/go-car/v2 |
| - package: github.com/ipld/go-car/v2/blockstore |
| - package: github.com/ipld/go-car/v2/index |
| summary: Denial of service via malformed CAR data in github.com/ipld/go-car and go-car/v2 |
| description: Decoding malformed CAR data can cause panics or excessive memory usage. |
| published: 2022-07-30T03:50:50Z |
| ghsas: |
| - GHSA-9x4h-8wgm-8xfg |
| references: |
| - advisory: https://github.com/advisories/GHSA-9x4h-8wgm-8xfg |
| review_status: REVIEWED |