Home > Vulnerability Database > CVE-2023-23626

Mend.io Vulnerability Database

CVE-2023-23626

Good to know:

Date: February 9, 2023

go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s. This happen when the `size` is a not a multiple of `8` or is negative. There were already a note in the `NewBitfield` documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that `size` is a multiple of 8 before calling `NewBitfield` or `FromBytes`.

Language: Go

Severity Score

7.5

Related Resources (4)

Url: https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r

Url: https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-23626

Url: https://www.mend.io/vulnerability-database/CVE-2023-23626

Severity Score

7.5

Weakness Type (CWE)

Improper Check for Unusual or Exceptional Conditions

CWE-754

Improper Validation of Specified Quantity in Input

CWE-1284

Top Fix

Upgrade Version

Upgrade to version v1.1.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-23626

Good to know:

Date: February 9, 2023

Language: Go

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?