Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/libp2p/go-libp2p-kad-dht: CVE-2023-26248 #3218

Open
GoVulnBot opened this issue Oct 25, 2024 · 0 comments

Comments

@GoVulnBot
Copy link

Advisory CVE-2023-26248 references a vulnerability in the following Go modules:

Module
github.com/libp2p/go-libp2p-kad-dht

Description:
The Kademlia DHT (go-libp2p-kad-dht 0.20.0 and earlier) used in IPFS (0.18.1 and earlier) assigns routing information for content (i.e., information about who holds the content) to be stored by peers whose peer IDs have a small DHT distance from the content ID. This allows an attacker to censor content by generating many Sybil peers whose peer IDs have a small distance from the content ID, thus hijacking the content resolution process.

References:

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/libp2p/go-libp2p-kad-dht
      vulnerable_at: 0.27.0
summary: CVE-2023-26248 in github.com/libp2p/go-libp2p-kad-dht
cves:
    - CVE-2023-26248
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-26248
    - web: https://arxiv.org/abs/2307.12212
    - web: https://github.com/libp2p/go-libp2p-kad-dht
source:
    id: CVE-2023-26248
    created: 2024-10-25T17:01:19.001437895Z
review_status: UNREVIEWED

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants