CVE-2023-22460
Description
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn't expect to receive Bytes tokens. Such an encode should be treated as an error, as plain JSON should not be able to encode Bytes. This only impacts uses of the json codec. dag-json is not impacted. Use of json as a decoder is not impacted. This issue is fixed in v0.19.0. As a workaround, one may prefer the dag-json codec, which has the ability to encode bytes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ipld/go-ipld-primeGo | < 0.19.0 | 0.19.0 |
Affected products
2- Range: < 0.19.0
Patches
Vulnerability mechanics
References
7- github.com/ipld/go-ipld-prime/pull/472nvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-c653-6hhg-9x92ghsaADVISORY
- github.com/ipld/go-ipld-prime/releases/tag/v0.19.0nvdRelease NotesThird Party AdvisoryWEB
- github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-22460ghsaADVISORY
- github.com/ipld/go-ipld-prime/commit/146d1c8529676fe9ee0604f014656af2395505fcghsaWEB
- pkg.go.dev/vuln/GO-2023-1269ghsaWEB
News mentions
0No linked articles in our index yet.