What is CVE-2023-23626?

CVE-2023-23626 is a vulnerability in the go-bitfield package for the go language, which can be exploited by an attacker to trigger panics when feeding untrusted user input into certain functions.

What is the severity of CVE-2023-23626?

The severity of CVE-2023-23626 is high, with a severity value of 7.5.

How does CVE-2023-23626 affect the go-bitfield package?

CVE-2023-23626 affects the go-bitfield package up to version 1.1.0 and can be exploited by an attacker to trigger panics.

Are there any fixes or patches available for CVE-2023-23626?

Yes, fixes for CVE-2023-23626 are available in the commit 5e1d256fe043fc4163343ccca83862c69c52e579 and advisory GHSA-2h6c-j3gf-xp9r.

Vulnerability/
CVE-2023-23626

high

7.5

CWE

1284 754

9/2/2023

17/2/2023

CVE-2023-23626

Q: How can an attacker exploit CVE-2023-23626?

An attacker can exploit CVE-2023-23626 by feeding untrusted user input into the size parameter of certain functions in the go-bitfield package.

First published: Thu Feb 09 2023(Updated: )

go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s. This happen when the `size` is a not a multiple of `8` or is negative. There were already a note in the `NewBitfield` documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that `size` is a multiple of 8 before calling `NewBitfield` or `FromBytes`.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Protocol Go-bitfield	<1.1.0

Remedy

https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579

Remedy

https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-23626?
CVE-2023-23626 is a vulnerability in the go-bitfield package for the go language, which can be exploited by an attacker to trigger panics when feeding untrusted user input into certain functions.
What is the severity of CVE-2023-23626?
The severity of CVE-2023-23626 is high, with a severity value of 7.5.
How does CVE-2023-23626 affect the go-bitfield package?
CVE-2023-23626 affects the go-bitfield package up to version 1.1.0 and can be exploited by an attacker to trigger panics.
How can an attacker exploit CVE-2023-23626?
An attacker can exploit CVE-2023-23626 by feeding untrusted user input into the size parameter of certain functions in the go-bitfield package.
Are there any fixes or patches available for CVE-2023-23626?
Yes, fixes for CVE-2023-23626 are available in the commit 5e1d256fe043fc4163343ccca83862c69c52e579 and advisory GHSA-2h6c-j3gf-xp9r.

collector/nvd-index
agent/severity
agent/references
agent/weakness
agent/author
agent/tags
agent/description
agent/type
agent/event
agent/remedy
agent/softwarecombine
agent/first-publish-date
agent/last-modified-date
vendor/protocol
canonical/protocol go-bitfield

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.