blob: 096f91303586bf5398d16140f9585cb47fdf341d [file] [log] [blame]
id: GO-2022-0233
modules:
- module: github.com/pires/go-proxyproto
versions:
- fixed: 0.6.1
vulnerable_at: 0.5.0
packages:
- package: github.com/pires/go-proxyproto
symbols:
- Listener.Accept
summary: Resource exhaustion in github.com/pires/go-proxyproto
description: |-
The PROXY protocol server does not impose a timeout on reading the header from
new connections, allowing a malicious client to cause resource exhaustion and a
denial of service by opening many connections and sending no data on them.
v0.6.0 of the proxyproto package adds support for a user-defined header timeout.
v0.6.1 adds a default timeout of 200ms and v0.6.2 increases the default timeout
to 10s.
published: 2022-07-01T20:18:04Z
cves:
- CVE-2021-23409
ghsas:
- GHSA-xcf7-q56x-78gh
references:
- fix: https://github.com/pires/go-proxyproto/pull/74
- fix: https://github.com/pires/go-proxyproto/pull/74/commits/cdc63867da24fc609b727231f682670d0d1cd346
- web: https://github.com/pires/go-proxyproto/issues/65
review_status: REVIEWED