| { |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0", |
| "cveMetadata": { |
| "cveId": "CVE-2022-41717" |
| }, |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc" |
| }, |
| "title": "Excessive memory growth in net/http and golang.org/x/net/http2", |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection." |
| } |
| ], |
| "affected": [ |
| { |
| "vendor": "Go standard library", |
| "product": "net/http", |
| "collectionURL": "https://pkg.go.dev", |
| "packageName": "net/http", |
| "versions": [ |
| { |
| "version": "0", |
| "lessThan": "1.18.9", |
| "status": "affected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "1.19.0-0", |
| "lessThan": "1.19.4", |
| "status": "affected", |
| "versionType": "semver" |
| } |
| ], |
| "programRoutines": [ |
| { |
| "name": "http2serverConn.canonicalHeader" |
| }, |
| { |
| "name": "ListenAndServe" |
| }, |
| { |
| "name": "ListenAndServeTLS" |
| }, |
| { |
| "name": "Serve" |
| }, |
| { |
| "name": "ServeTLS" |
| }, |
| { |
| "name": "Server.ListenAndServe" |
| }, |
| { |
| "name": "Server.ListenAndServeTLS" |
| }, |
| { |
| "name": "Server.Serve" |
| }, |
| { |
| "name": "Server.ServeTLS" |
| }, |
| { |
| "name": "http2Server.ServeConn" |
| } |
| ], |
| "defaultStatus": "unaffected" |
| }, |
| { |
| "vendor": "golang.org/x/net", |
| "product": "golang.org/x/net/http2", |
| "collectionURL": "https://pkg.go.dev", |
| "packageName": "golang.org/x/net/http2", |
| "versions": [ |
| { |
| "version": "0", |
| "lessThan": "0.4.0", |
| "status": "affected", |
| "versionType": "semver" |
| } |
| ], |
| "programRoutines": [ |
| { |
| "name": "serverConn.canonicalHeader" |
| }, |
| { |
| "name": "Server.ServeConn" |
| } |
| ], |
| "defaultStatus": "unaffected" |
| } |
| ], |
| "problemTypes": [ |
| { |
| "descriptions": [ |
| { |
| "lang": "en", |
| "description": "CWE 400: Uncontrolled Resource Consumption" |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://go.dev/issue/56350" |
| }, |
| { |
| "url": "https://go.dev/cl/455717" |
| }, |
| { |
| "url": "https://go.dev/cl/455635" |
| }, |
| { |
| "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" |
| }, |
| { |
| "url": "https://pkg.go.dev/vuln/GO-2022-1144" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/" |
| }, |
| { |
| "url": "https://security.gentoo.org/glsa/202311-09" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/" |
| }, |
| { |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/" |
| } |
| ], |
| "credits": [ |
| { |
| "lang": "en", |
| "value": "Josselin Costanzi" |
| } |
| ] |
| } |
| } |
| } |