Home > Vulnerability Database > CVE-2023-22460

Mend.io Vulnerability Database

CVE-2023-22460

Good to know:

Date: January 4, 2023

go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn't expect to receive Bytes tokens. Such an encode should be treated as an error, as plain JSON should not be able to encode Bytes. This only impacts uses of the `json` codec. `dag-json` is not impacted. Use of `json` as a decoder is not impacted. This issue is fixed in v0.19.0. As a workaround, one may prefer the `dag-json` codec, which has the ability to encode bytes.

Language: Go

Severity Score

7.5

Related Resources (8)

Url: https://github.com/ipld/go-ipld-prime

Url: https://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-22460

Url: https://github.com/ipld/go-ipld-prime/commit/146d1c8529676fe9ee0604f014656af2395505fc

Url: https://github.com/ipld/go-ipld-prime/pull/472

Url: https://pkg.go.dev/vuln/GO-2023-1269

Url: https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92

Url: https://www.mend.io/vulnerability-database/CVE-2023-22460

Severity Score

7.5

Weakness Type (CWE)

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version v0.19.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-22460

Good to know:

Date: January 4, 2023

Language: Go

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?