CVE-2023-25568

EPSS 0.86%
Veröffentlicht 10.05.2023 14:15:32
Zuletzt bearbeitet 21.11.2024 07:49:44
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Boxo bitswap/server: DOS unbounded persistent memory leak

Boxo, formerly known as go-libipfs, is a library for building IPFS applications and implementations. In versions 0.4.0 and 0.5.0, if an attacker is able allocate arbitrary many bytes in the Bitswap server, those allocations are lasting even if the connection is closed. This affects users accepting untrusted connections with the Bitswap server and also affects users using the old API stubs at `github.com/ipfs/go-libipfs/bitswap` because users then transitively import `github.com/ipfs/go-libipfs/bitswap/server`. Boxo versions 0.6.0 and 0.4.1 contain a patch for this issue. As a workaround, those who are using the stub object at `github.com/ipfs/go-libipfs/bitswap` not taking advantage of the features provided by the server can refactor their code to use the new split API that will allow them to run in a client only mode: `github.com/ipfs/go-libipfs/bitswap/client`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Protocol ≫ Boxo Version0.4.0 SwPlatformgo

Protocol ≫ Boxo Version0.5.0 SwPlatformgo

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.86%	0.536

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/ipfs/boxo/commit/62cbac40b96f49e39cd7fedc77ee6b56adce4916

Patch

https://github.com/ipfs/boxo/commit/9cb5cb54d40b57084d1221ba83b9e6bb3fcc3197

Patch

https://github.com/ipfs/boxo/commit/baa748b682fabb21a4c1f7628a8af348d4645974

Patch

https://github.com/ipfs/go-libipfs/security/advisories/GHSA-m974-xj4j-7qv5

Patch

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2023-25568

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-25568

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-25568

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-25568