Headline
GHSA-c653-6hhg-9x92: go-ipld-prime/codec/json may panic if asked to encode bytes
go-ipld-prime
is a series of Go interfaces for manipulating IPLD data and a Go module that contains the go-ipld-prime/codec/json
codec.
Impact
Encoding data which contains a Bytes
kind Node will pass a Bytes
token to the JSON encoder which will panic as it doesn’t expect to receive Bytes
tokens. Such an encoding should be treated as an error, as plain JSON should not be able to encode Bytes.
This only impacts uses of the “json” codec, “dag-json” is not impacted. Use of “json” as a decoder is not impacted.
Patches
Fixed in v0.19.0.
Workarounds
Prefer the “dag-json” codec which has the ability to encode bytes.
References
See fix in #472
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-22460
go-ipld-prime/codec/json may panic if asked to encode bytes
Moderate severity GitHub Reviewed Published Jan 5, 2023 in ipld/go-ipld-prime • Updated Jan 5, 2023
Vulnerability details Dependabot alerts 0
Package
gomod github.com/ipld/go-ipld-prime/codec/json (Go)
Affected versions
< 0.19.0
Patched versions
0.19.0
Description
go-ipld-prime is a series of Go interfaces for manipulating IPLD data and a Go module that contains the go-ipld-prime/codec/json codec.
Impact
Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn’t expect to receive Bytes tokens. Such an encoding should be treated as an error, as plain JSON should not be able to encode Bytes.
This only impacts uses of the “json” codec, “dag-json” is not impacted. Use of “json” as a decoder is not impacted.
Patches
Fixed in v0.19.0.
Workarounds
Prefer the “dag-json” codec which has the ability to encode bytes.
References
See fix in #472
References
- GHSA-c653-6hhg-9x92
- https://nvd.nist.gov/vuln/detail/CVE-2023-22460
- ipld/go-ipld-prime#472
- https://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0
rvagg published the maintainer security advisory
Jan 3, 2023
Severity
Moderate
5.9
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses
CWE-20
CVE ID
CVE-2023-22460
GHSA ID
GHSA-c653-6hhg-9x92
Source code
ipld/go-ipld-prime
Credits
- hacdias
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn't expect to receive Bytes tokens. Such an encode should be treated as an error, as plain JSON should not be able to encode Bytes. This only impacts uses of the `json` codec. `dag-json` is not impacted. Use of `json` as a decoder is not impacted. This issue is fixed in v0.19.0. As a workaround, one may prefer the `dag-json` codec, which has the ability to encode bytes.