x/vulndb: potential Go vuln in github.com/libp2p/go-libp2p-kad-dht: CVE-2023-26248

Advisory CVE-2023-26248 references a vulnerability in the following Go modules:

Module
github.com/libp2p/go-libp2p-kad-dht

Description: The Kademlia DHT (go-libp2p-kad-dht 0.20.0 and earlier) used in IPFS (0.18.1 and earlier) assigns routing information for content (i.e., information about who holds the content) to be stored by peers whose peer IDs have a small DHT distance from the content ID. This allows an attacker to censor content by generating many Sybil peers whose peer IDs have a small distance from the content ID, thus hijacking the content resolution process.

References:

ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2023-26248
WEB: https://arxiv.org/abs/2307.12212
WEB: https://github.com/libp2p/go-libp2p-kad-dht

No existing reports found with this module or alias. See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/libp2p/go-libp2p-kad-dht
      vulnerable_at: 0.27.0
summary: CVE-2023-26248 in github.com/libp2p/go-libp2p-kad-dht
cves:
    - CVE-2023-26248
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-26248
    - web: https://arxiv.org/abs/2307.12212
    - web: https://github.com/libp2p/go-libp2p-kad-dht
source:
    id: CVE-2023-26248
    created: 2024-10-25T17:01:19.001437895Z
review_status: UNREVIEWED

golang / vulndb

x/vulndb: potential Go vuln in github.com/libp2p/go-libp2p-kad-dht: CVE-2023-26248 #3218