7.5
CVE-2023-23626
- EPSS 0.91%
- Veröffentlicht 09.02.2023 21:15:11
- Zuletzt bearbeitet 21.11.2024 07:46:33
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginDenial of service when feeding malformed size arguments in go-bitfield
go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s. This happen when the `size` is a not a multiple of `8` or is negative. There were already a note in the `NewBitfield` documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that `size` is a multiple of 8 before calling `NewBitfield` or `FromBytes`.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Protocol ≫ Go-bitfield SwPlatformgo Version < 1.1.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.91% | 0.553 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| security-advisories@github.com | 5.9 | 2.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-1284 Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
CWE-754 Improper Check for Unusual or Exceptional Conditions
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579
https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r