data/reports/GO-2021-0172.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.6.4
       - introduced: 1.7.0
         fixed: 1.7.4
     vulnerable_at: 1.7.3
     packages:
       - package: mime/multipart
         symbols:
           - Reader.readForm
         skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
 description: |
     When parsing large multipart/form-data, an attacker can
     cause a HTTP server to open a large number of file
     descriptors. This may be used as a denial-of-service
     vector.
 published: 2022-02-15T23:56:14Z
 cves:
   - CVE-2017-1000098
 credit: Simon Rawet
 references:
   - fix: https://go.dev/cl/30410
   - fix: https://go.googlesource.com/go/+/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
   - report: https://go.dev/issue/16296
   - web: https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ
	modules:
	- module: std
	versions:
	- fixed: 1.6.4
	- introduced: 1.7.0
	fixed: 1.7.4
	vulnerable_at: 1.7.3
	packages:
	- package: mime/multipart
	symbols:
	- Reader.readForm
	skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
	description: \|
	When parsing large multipart/form-data, an attacker can
	cause a HTTP server to open a large number of file
	descriptors. This may be used as a denial-of-service
	vector.
	published: 2022-02-15T23:56:14Z
	cves:
	- CVE-2017-1000098
	credit: Simon Rawet
	references:
	- fix: https://go.dev/cl/30410
	- fix: https://go.googlesource.com/go/+/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
	- report: https://go.dev/issue/16296
	- web: https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ