data/reports/GO-2023-1571.yaml - vulndb - Git at Google

 id: GO-2023-1571
 modules:
     - module: std
       versions:
         - fixed: 1.19.6
         - introduced: 1.20.0-0
           fixed: 1.20.1
       vulnerable_at: 1.20.0
       packages:
         - package: net/http
           symbols:
             - Transport.RoundTrip
             - Server.Serve
           derived_symbols:
             - Client.Do
             - Client.Get
             - Client.Head
             - Client.Post
             - Client.PostForm
             - Get
             - Head
             - ListenAndServe
             - ListenAndServeTLS
             - Post
             - PostForm
             - Serve
             - ServeTLS
             - Server.ListenAndServe
             - Server.ListenAndServeTLS
             - Server.ServeTLS
     - module: golang.org/x/net
       versions:
         - fixed: 0.7.0
       vulnerable_at: 0.6.1-0.20230213185550-547e7edf3873
       packages:
         - package: golang.org/x/net/http2
           symbols:
             - Transport.RoundTrip
             - Server.ServeConn
           derived_symbols:
             - ClientConn.Close
             - ClientConn.Ping
             - ClientConn.RoundTrip
             - ClientConn.Shutdown
             - ConfigureServer
             - ConfigureTransport
             - ConfigureTransports
             - ConnectionError.Error
             - ErrCode.String
             - FrameHeader.String
             - FrameType.String
             - FrameWriteRequest.String
             - Framer.ReadFrame
             - Framer.WriteContinuation
             - Framer.WriteData
             - Framer.WriteDataPadded
             - Framer.WriteGoAway
             - Framer.WriteHeaders
             - Framer.WritePing
             - Framer.WritePriority
             - Framer.WritePushPromise
             - Framer.WriteRSTStream
             - Framer.WriteRawFrame
             - Framer.WriteSettings
             - Framer.WriteSettingsAck
             - Framer.WriteWindowUpdate
             - GoAwayError.Error
             - ReadFrameHeader
             - Setting.String
             - SettingID.String
             - SettingsFrame.ForeachSetting
             - StreamError.Error
             - Transport.CloseIdleConnections
             - Transport.NewClientConn
             - Transport.RoundTripOpt
             - bufferedWriter.Flush
             - bufferedWriter.Write
             - chunkWriter.Write
             - clientConnPool.GetClientConn
             - connError.Error
             - dataBuffer.Read
             - duplicatePseudoHeaderError.Error
             - gzipReader.Close
             - gzipReader.Read
             - headerFieldNameError.Error
             - headerFieldValueError.Error
             - noDialClientConnPool.GetClientConn
             - noDialH2RoundTripper.RoundTrip
             - pipe.Read
             - priorityWriteScheduler.CloseStream
             - priorityWriteScheduler.OpenStream
             - pseudoHeaderError.Error
             - requestBody.Close
             - requestBody.Read
             - responseWriter.Flush
             - responseWriter.FlushError
             - responseWriter.Push
             - responseWriter.SetReadDeadline
             - responseWriter.SetWriteDeadline
             - responseWriter.Write
             - responseWriter.WriteHeader
             - responseWriter.WriteString
             - serverConn.CloseConn
             - serverConn.Flush
             - stickyErrWriter.Write
             - transportResponseBody.Close
             - transportResponseBody.Read
             - writeData.String
         - package: golang.org/x/net/http2/hpack
           symbols:
             - Decoder.parseFieldLiteral
             - Decoder.readString
           derived_symbols:
             - Decoder.DecodeFull
             - Decoder.Write
 summary: Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
 description: |-
     A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the
     HPACK decoder, sufficient to cause a denial of service from a small number of
     small requests.
 ghsas:
     - GHSA-vvpx-j8f3-3w6h
 credits:
     - Philippe Antoine (Catena cyber)
 references:
     - report: https://go.dev/issue/57855
     - fix: https://go.dev/cl/468135
     - fix: https://go.dev/cl/468295
     - web: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
 cve_metadata:
     id: CVE-2022-41723
     cwe: 'CWE 400: Uncontrolled Resource Consumption'
     references:
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/
         - https://www.couchbase.com/alerts/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/
         - https://security.gentoo.org/glsa/202311-09
	id: GO-2023-1571
	modules:
	- module: std
	versions:
	- fixed: 1.19.6
	- introduced: 1.20.0-0
	fixed: 1.20.1
	vulnerable_at: 1.20.0
	packages:
	- package: net/http
	symbols:
	- Transport.RoundTrip
	- Server.Serve
	derived_symbols:
	- Client.Do
	- Client.Get
	- Client.Head
	- Client.Post
	- Client.PostForm
	- Get
	- Head
	- ListenAndServe
	- ListenAndServeTLS
	- Post
	- PostForm
	- Serve
	- ServeTLS
	- Server.ListenAndServe
	- Server.ListenAndServeTLS
	- Server.ServeTLS
	- module: golang.org/x/net
	versions:
	- fixed: 0.7.0
	vulnerable_at: 0.6.1-0.20230213185550-547e7edf3873
	packages:
	- package: golang.org/x/net/http2
	symbols:
	- Transport.RoundTrip
	- Server.ServeConn
	derived_symbols:
	- ClientConn.Close
	- ClientConn.Ping
	- ClientConn.RoundTrip
	- ClientConn.Shutdown
	- ConfigureServer
	- ConfigureTransport
	- ConfigureTransports
	- ConnectionError.Error
	- ErrCode.String
	- FrameHeader.String
	- FrameType.String
	- FrameWriteRequest.String
	- Framer.ReadFrame
	- Framer.WriteContinuation
	- Framer.WriteData
	- Framer.WriteDataPadded
	- Framer.WriteGoAway
	- Framer.WriteHeaders
	- Framer.WritePing
	- Framer.WritePriority
	- Framer.WritePushPromise
	- Framer.WriteRSTStream
	- Framer.WriteRawFrame
	- Framer.WriteSettings
	- Framer.WriteSettingsAck
	- Framer.WriteWindowUpdate
	- GoAwayError.Error
	- ReadFrameHeader
	- Setting.String
	- SettingID.String
	- SettingsFrame.ForeachSetting
	- StreamError.Error
	- Transport.CloseIdleConnections
	- Transport.NewClientConn
	- Transport.RoundTripOpt
	- bufferedWriter.Flush
	- bufferedWriter.Write
	- chunkWriter.Write
	- clientConnPool.GetClientConn
	- connError.Error
	- dataBuffer.Read
	- duplicatePseudoHeaderError.Error
	- gzipReader.Close
	- gzipReader.Read
	- headerFieldNameError.Error
	- headerFieldValueError.Error
	- noDialClientConnPool.GetClientConn
	- noDialH2RoundTripper.RoundTrip
	- pipe.Read
	- priorityWriteScheduler.CloseStream
	- priorityWriteScheduler.OpenStream
	- pseudoHeaderError.Error
	- requestBody.Close
	- requestBody.Read
	- responseWriter.Flush
	- responseWriter.FlushError
	- responseWriter.Push
	- responseWriter.SetReadDeadline
	- responseWriter.SetWriteDeadline
	- responseWriter.Write
	- responseWriter.WriteHeader
	- responseWriter.WriteString
	- serverConn.CloseConn
	- serverConn.Flush
	- stickyErrWriter.Write
	- transportResponseBody.Close
	- transportResponseBody.Read
	- writeData.String
	- package: golang.org/x/net/http2/hpack
	symbols:
	- Decoder.parseFieldLiteral
	- Decoder.readString
	derived_symbols:
	- Decoder.DecodeFull
	- Decoder.Write
	summary: Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
	description: \|-
	A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the
	HPACK decoder, sufficient to cause a denial of service from a small number of
	small requests.
	ghsas:
	- GHSA-vvpx-j8f3-3w6h
	credits:
	- Philippe Antoine (Catena cyber)
	references:
	- report: https://go.dev/issue/57855
	- fix: https://go.dev/cl/468135
	- fix: https://go.dev/cl/468295
	- web: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
	cve_metadata:
	id: CVE-2022-41723
	cwe: 'CWE 400: Uncontrolled Resource Consumption'
	references:
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/
	- https://www.couchbase.com/alerts/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/
	- https://security.gentoo.org/glsa/202311-09