add go/github.com/libp2p/go-libp2p/p2p/host/basic/CVE-2022-23492.yml to branch

cdf59ce8 · 🤖 GitLab Bot 🤖 · b7a14689 · cdf59ce8
Commit cdf59ce8 authored 2 years ago by 🤖 GitLab Bot 🤖
--- a/go/github.com/libp2p/go-libp2p/p2p/host/basic/CVE-2022-23492.yml
+++ b/go/github.com/libp2p/go-libp2p/p2p/host/basic/CVE-2022-23492.yml
+---
+identifier: "CVE-2022-23492"
+identifiers:
+- "GHSA-j7qp-mfxf-8xjw"
+- "CVE-2022-23492"
+package_slug: "go/github.com/libp2p/go-libp2p/p2p/host/basic"
+title: "Uncontrolled Resource Consumption"
+description: "go-libp2p is the offical libp2p implementation in the Go programming
+  language. Version `0.18.0` and older of go-libp2p is vulnerable to targeted resource
+  exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and
+  memory management. An attacker can cause the allocation of large amounts of memory,
+  ultimately leading to the process getting killed by the host’s operating system.
+  While a connection manager tasked with keeping the number of connections within
+  manageable limits has been part of go-libp2p, this component was designed to handle
+  the regular churn of peers, not a targeted resource exhaustion attack. Users are
+  advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users
+  unable to upgrade may consult the denial of service (dos) mitigation page for more
+  information on how to incorporate mitigation strategies, monitor your application,
+  and respond to attacks."
+date: "2023-02-09"
+pubdate: "2022-12-07"
+affected_range: "<v0.18.0"
+fixed_versions:
+- "v0.18.0"
+affected_versions: "All versions before 0.18.0"
+not_impacted: "All versions starting from 0.18.0"
+solution: "Upgrade to version 0.18.0 or above."
+urls:
+- "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
+- "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"
+- "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8"
+- "https://nvd.nist.gov/vuln/detail/CVE-2022-23492"
+- "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
+- "https://docs.libp2p.io/reference/dos-mitigation/"
+- "https://pkg.go.dev/vuln/GO-2022-1148"
+- "https://github.com/advisories/GHSA-j7qp-mfxf-8xjw"
+cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+uuid: "d1771b8a-423d-4a2e-8a56-1372192cba90"
+cwe_ids:
+- "CWE-1035"
+- "CWE-400"
+- "CWE-937"
+versions:
+- number: "v0.18.0"
+  commit:
+    tags:
+    - "v0.18.0"
+    sha: "5bab5811001a3442f3dabeec03a1c045cc9ef88a"
+    timestamp: "20220318075225"