CVE-2023-39533
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
08/08/2023
Last modified:
31/10/2023
Description
go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in the core/crypto module of go-libp2p and can occur during the Noise handshake and the libp2p x509 extension verification step. To prevent this attack, go-libp2p versions 0.27.8, 0.28.2, and 0.29.1 restrict RSA keys to
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:libp2p:go-libp2p:*:*:*:*:*:go:*:* | 0.27.8 (excluding) | |
| cpe:2.3:a:libp2p:go-libp2p:*:*:*:*:*:go:*:* | 0.28.0 (including) | 0.28.2 (excluding) |
| cpe:2.3:a:libp2p:go-libp2p:0.29.0:*:*:*:*:go:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/golang/go/commit/2350afd2e8ab054390e284c95d5b089c142db017
- https://github.com/golang/go/issues/61460
- https://github.com/libp2p/go-libp2p/commit/0cce607219f3710addc7e18672cffd1f1d912fbb
- https://github.com/libp2p/go-libp2p/commit/445be526aea4ee0b1fa5388aa65d32b2816d3a00
- https://github.com/libp2p/go-libp2p/commit/e30fcf7dfd4715ed89a5e68d7a4f774d3b9aa92d
- https://github.com/libp2p/go-libp2p/pull/2454
- https://github.com/libp2p/go-libp2p/security/advisories/GHSA-876p-8259-xjgg
- https://github.com/quic-go/quic-go/pull/4012