Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
go-ipld-prime's DAG-CBOR decoder unbounded memory allocation from CBOR headers
Vulnerability Description
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
不加限制或调节的资源分配
Vulnerability Title
go-ipld-prime 安全漏洞
Vulnerability Description
go-ipld-prime是IPLD开源的一种 ipld 规范接口的实现。 go-ipld-prime 0.22.0之前版本存在安全漏洞,该漏洞源于DAG-CBOR解码器使用CBOR标头中声明的集合大小作为映射和列表的Go预分配提示,但未限制这些大小提示或在其分配预算中考虑其成本,可能导致小型有效载荷造成过多的内存分配。
CVSS Information
N/A
Vulnerability Type
N/A