CVE-2022-2584

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions go-codec-dagpb versions prior to 1.3.1

Description The dag-pb codec can panic when decoding invalid blocks, due to an assumption that the reported link length is accurate. If the block ends before the reported length, it results in a buffer overread.

Recommendations For versions prior to 1.3.1, update to version 1.3.1 or above to resolve the issue. As a temporary workaround, consider recovering panics higher in the call stack of the goroutine that calls the defective code.

Fix

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119

Related Identifiers

CVE-2022-2584

GHSA-967G-CJX4-H7J6

GHSA-G3VV-G2J5-45F2

GO-2022-0422

Affected Products

Go-Codec-Dagpb

CVE-2022-2584

Weakness Enumeration

Related Identifiers

Affected Products

References · 10