x/vulndb: potential Go vuln in github.com/ipfs/go-ipfs: GHSA-fx5p-f64h-93xc

[GoVulnBot]

In GitHub Security Advisory GHSA-fx5p-f64h-93xc, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/ipfs/go-ipfs	0.12.1	>= 0.11.0, < 0.12.1

See doc/triage.md for instructions on how to triage this report.

package: github.com/ipfs/go-ipfs
versions:
  - introduced: v0.11.0
    fixed: v0.12.1
description: "### Impact\n\nAllows admin API access to the IPFS node.\n\n### Who ?\n\nThis
    affects people running the  [docker-compose.yaml](https://github.com/ipfs/go-ipfs/blob/master/docker-compose.yaml)
    service in an environment where the docker host is directly attached to a public
    or untrusted IP.  In the vulnerable version, the private API endpoint is publicly
    forwarded by exposing it as `0.0.0.0:5001` on the host machine.  \n\nIf the host
    machine is hidden behind a firewall or NAT (and the LAN is trusted for NAT), this
    is not an immediate issue because of the protection from the firewall or NAT.
    \ That said, we still recommend users update to follow security best practices
    of not putting unnecessary dependency on a working firewall.\n\n### Patches\nThis
    issue is in [docker-compose.yaml](https://github.com/ipfs/go-ipfs/blob/master/docker-compose.yaml).
    \ Users need to replace their current `docker-compose.yaml` file with a version
    `0.12.1` or later.\n\nThere is no need to update any of the binaries. Users running
    previous versions like `0.12.0` or earlier can download the `0.12.1` `docker-compose.yaml`
    file.  You can replace a vulnerable `docker-compose.yaml` file with a the new
    one with:\n\n```\ncurl https://raw.githubusercontent.com/ipfs/go-ipfs/v0.12.1/docker-compose.yaml
    > docker-compose.yaml\n```\n\n### How to test if you are vulnerable\n#### Binding
    check on the host\nOn the host machine, while IPFS is running, run as root:\n\n```bash\nnetstat
    -lnp | grep \":5001\"\n```\n\nThe output will be a list of listeners bound to
    `:5001`.\nYou then need to check that those listeners are private and preferably
    even localhost IPs.\n⚠️ If this listener is on `0.0.0.0` or a public IP you are
    very likely vulnerable.\n\n#### Remote hailing\nWhile IPFS is running, you can
    try to contact the API from a remote machine. (Replace `1.2.3.4` with your node
    public IP.  Or if you want to test in an untrusted NAT, then substitute the LAN
    IP instead.)\n\n```bash\ncurl -X POST http://1.2.3.4:5001/api/v0/version\n```\n\n⚠️
    If you see any json outputted (e.g.,  `{\"Commit\": \"<string>\",\"Golang\": \"<string>\",\"Repo\":
    \"<string>\",\"System\": \"<string>\",\"Version\": \"<string>\"}`), then you are
    vulnerable.\n\nIf it **fails**, then you are safe.\n\n### For more information\nIf
    you have any questions or comments about this advisory:\n* Please first read https://docs.ipfs.io/reference/http/api/
    about best practices\n* Ask in [IPFS Discord #ipfs-chatter](https://discord.gg/ipfs)\n*
    Open an issue in [go-ipfs](https://github.com/ipfs/go-ipfs)\n"
published: 2022-04-04T21:23:55Z
last_modified: 2022-04-06T14:45:19Z
ghsas:
  - GHSA-fx5p-f64h-93xc

[neild]

Vulnerability in tool.

[gopherbot]

Change https://go.dev/cl/592767 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607218 mentions this issue: data/reports: unexclude 20 reports (16)