data/reports/GO-2022-0288.yaml

id: GO-2022-0288
modules:
    - module: std
      versions:
        - fixed: 1.16.12
        - introduced: 1.17.0-0
        - fixed: 1.17.5
      vulnerable_at: 1.17.4
      packages:
        - package: net/http
          symbols:
            - http2serverConn.canonicalHeader
    - module: golang.org/x/net
      versions:
        - fixed: 0.0.0-20211209124913-491a49abca63
      vulnerable_at: 0.0.0-20211208012354-db4efeb81f4b
      packages:
        - package: golang.org/x/net/http2
          symbols:
            - serverConn.canonicalHeader
          derived_symbols:
            - Server.ServeConn
summary: Unbounded memory growth in net/http and golang.org/x/net/http2
description: |-
    An attacker can cause unbounded memory growth in servers accepting HTTP/2
    requests.
published: 2022-07-15T23:08:33Z
cves:
    - CVE-2021-44716
ghsas:
    - GHSA-vc3p-29h2-gpcp
credits:
    - murakmii
references:
    - fix: https://go.dev/cl/369794
    - report: https://go.dev/issue/50058
    - web: https://groups.google.com/g/golang-announce/c/hcmEScgc00k
review_status: REVIEWED