CVE-2022-23486 : libp2p-rust is the official rust language Implementation of the libp2p networkin

libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.

Published 2022-12-07 21:15:10

Updated 2023-07-14 19:10:16

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2022-23486

Protocol » Libp2p » For Rust
Versions before (<) 0.45.1
cpe:2.3:a:protocol:libp2p:*:*:*:*:*:rust:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-23486

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 18 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-23486

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-23486

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-23486

https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8

libp2p DoS vulnerability from lack of resource management · Advisory · libp2p/rust-libp2p · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-23486

Products affected by CVE-2022-23486

Exploit prediction scoring system (EPSS) score for CVE-2022-23486

CVSS scores for CVE-2022-23486

CWE ids for CVE-2022-23486

References for CVE-2022-23486