CVE-2022-23487
Vulnerability from cvelistv5
Published
2022-12-07 20:05
Modified
2024-08-03 03:43
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability.
References
security-advisories@github.comhttps://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwvMitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwvMitigation, Third Party Advisory
Impacted products
Vendor Product Version
libp2p js-libp2p Version: < 0.38.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:43:46.080Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "js-libp2p",
          "vendor": "libp2p",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.38.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-07T20:05:35.319Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"
        }
      ],
      "source": {
        "advisory": "GHSA-f44q-634c-jvwv",
        "discovery": "UNKNOWN"
      },
      "title": "libp2p denial of service vulnerability from lack of resource management"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23487",
    "datePublished": "2022-12-07T20:05:35.319Z",
    "dateReserved": "2022-01-19T21:23:53.762Z",
    "dateUpdated": "2024-08-03T03:43:46.080Z",
    "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-23487\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-12-07T21:15:10.260\",\"lastModified\":\"2024-11-21T06:48:39.850\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"js-libp2p es la implementaci\u00f3n oficial de JavaScript de la pila de redes libp2p. Las versiones anteriores a `v0.38.0` de js-libp2p son vulnerables a ataques de agotamiento de recursos dirigidos. Estos ataques tienen como objetivo la gesti\u00f3n de conexi\u00f3n, flujo, pares y memoria de libp2p. Un atacante puede provocar la asignaci\u00f3n de grandes cantidades de memoria, lo que en \u00faltima instancia lleva a que el sistema operativo del host elimine el proceso. Si bien un administrador de conexiones encargado de mantener la cantidad de conexiones dentro de los l\u00edmites manejables ha sido parte de js-libp2p, este componente fue dise\u00f1ado para manejar la rotaci\u00f3n regular de pares, no un ataque de agotamiento de recursos dirigido. Se recomienda a los usuarios que actualicen su dependencia js-libp2p a `v0.38.0` o superior. No se conocen workaround para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:protocol:libp2p:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"0.38.0\",\"matchCriteriaId\":\"D9B43BF1-12E0-47E9-A127-1049A567B939\"}]}]}],\"references\":[{\"url\":\"https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.