CVE-2023-26248

The Kademlia DHT (go-libp2p-kad-dht 0.20.0 and earlier) used in IPFS (0.18.1 and earlier) assigns routing information for content (i.e., information about who holds the content) to be stored by peers whose peer IDs have a small DHT distance from the content ID. This allows an attacker to censor content by generating many Sybil peers whose peer IDs have a small distance from the content ID, thus hijacking the content resolution process.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://arxiv.org/abs/2307.12212
https://github.com/libp2p/go-libp2p-kad-dht

Configurations

No configuration.

History

28 Oct 2024, 13:58

Type	Values Removed	Values Added
Summary		(es) El DHT de Kademlia (go-libp2p-kad-dht 0.20.0 y versiones anteriores) utilizado en IPFS (0.18.1 y versiones anteriores) asigna información de enrutamiento para el contenido (es decir, información sobre quién posee el contenido) que se almacenará por pares cuyos identificadores de pares tienen una pequeña distancia DHT del identificador de contenido. Esto permite que un atacante censure el contenido generando muchos pares Sybil cuyos identificadores de pares tienen una pequeña distancia del identificador de contenido, secuestrando así el proceso de resolución de contenido.

25 Oct 2024, 20:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
CWE		CWE-352

25 Oct 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-25 16:15

Updated : 2024-10-28 13:58

NVD link : CVE-2023-26248

Mitre link : CVE-2023-26248

CVE.ORG link : CVE-2023-26248

JSON object : View

Products Affected

No product.

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

5.3 /10