CVE-2023-26248
Aliases:GHSA-mqr9-hjr8-2m9wGO-2024-3218
Advisory lineage Upstream: 0 Downstream: 1
Downstream
Deferred
Published: 25 Oct 2024, 00:00
Last modified:25 Oct 2024, 19:56
Vulnerability Summary
Overall Risk (default)
low
21/100 CVSS Score
5.3 MEDIUM
v3.1 (cve.org)
EPSS Score
0.1% LOW
0% probability +0.03%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
25 Oct 2024, 00:00
Published
Vulnerability first disclosed
25 Oct 2024, 19:56
Last Modified
Vulnerability information updated
Description
The Kademlia DHT (go-libp2p-kad-dht 0.20.0 and earlier) used in IPFS (0.18.1 and earlier) assigns routing information for content (i.e., information about who holds the content) to be stored by peers whose peer IDs have a small DHT distance from the content ID. This allows an attacker to censor content by generating many Sybil peers whose peer IDs have a small distance from the content ID, thus hijacking the content resolution process.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Trends
Current EPSS score: 0.10%• Percentile: 27%
Techniques & Countermeasures
- CWE-352•Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Affected Systems
- github.com/libp2p•go-libp2p-kad-dht
≤ 0.20.0 | all