data/reports/GO-2023-1571.yaml

modules:
  - module: std
    versions:
      - fixed: 1.19.6
      - introduced: 1.20.0
        fixed: 1.20.1
    vulnerable_at: 1.20.0
    packages:
      - package: net/http
  - module: golang.org/x/net
    versions:
      - fixed: 0.7.0
    vulnerable_at: 0.6.1-0.20230213185550-547e7edf3873
    packages:
      - package: golang.org/x/net/http2
      - package: golang.org/x/net/http2/hpack
        symbols:
          - Decoder.parseFieldLiteral
          - Decoder.readString
        derived_symbols:
          - Decoder.DecodeFull
          - Decoder.Write
description: |
    A maliciously crafted HTTP/2 stream could cause excessive CPU consumption
    in the HPACK decoder, sufficient to cause a denial of service from a small
    number of small requests.
ghsas:
  - GHSA-vvpx-j8f3-3w6h
credit: Philippe Antoine (Catena cyber)
references:
  - report: https://go.dev/issue/57855
  - fix: https://go.dev/cl/468135
  - fix: https://go.dev/cl/468295
  - web: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
cve_metadata:
    id: CVE-2022-41723
    cwe: 'CWE 400: Uncontrolled Resource Consumption'