CVE-2023-22460
MEDIUM5.9EPSS 0.39%go-ipld-prime/codec/json may panic if asked to encode bytes
Description
`go-ipld-prime` is a series of Go interfaces for manipulating IPLD data and a Go module that contains the `go-ipld-prime/codec/json` codec. ### Impact Encoding data which contains a `Bytes` kind Node will pass a `Bytes` token to the JSON encoder which will panic as it doesn't expect to receive `Bytes` tokens. Such an encoding should be treated as an error, as plain JSON should not be able to encode Bytes. **This only impacts uses of the "json" codec, "dag-json" is not impacted.** Use of "json" as a decoder is not impacted. ### Patches Fixed in v0.19.0. ### Workarounds Prefer the "dag-json" codec which has the ability to [encode bytes](https://ipld.io/specs/codecs/dag-json/spec/#bytes). ### References See fix in [#472](https://github.com/ipld/go-ipld-prime/pull/472)
Affected packages (2)
- Go/github.com/ipld/go-ipld-primefrom 0, < 0.19.0
- Go/github.com/ipld/go-ipld-primefrom 0, < 0.19.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-22460
- PATCHhttps://github.com/ipld/go-ipld-prime
- WEBhttps://github.com/ipld/go-ipld-prime/commit/146d1c8529676fe9ee0604f014656af2395505fc
- WEBhttps://github.com/ipld/go-ipld-prime/pull/472
- WEBhttps://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0
- WEBhttps://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92
- WEBhttps://pkg.go.dev/vuln/GO-2023-1269