CVE-2023-23626: Improper Check for Unusual or Exceptional Conditions

February 9, 2023 (updated November 7, 2023)

go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of NewBitfield and FromBytes functions, an attacker can trigger panics. This happen when the size is a not a multiple of 8 or is negative. There were already a note in the NewBitfield documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that size is a multiple of 8 before calling NewBitfield or FromBytes.

References

github.com/advisories/GHSA-2h6c-j3gf-xp9r
github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579
github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r
nvd.nist.gov/vuln/detail/CVE-2023-23626

Code Behaviors & Features

Detect and mitigate CVE-2023-23626 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →