| id: GO-2022-0233 |
| modules: |
| - module: github.com/pires/go-proxyproto |
| versions: |
| - fixed: 0.6.1 |
| vulnerable_at: 0.5.0 |
| packages: |
| - package: github.com/pires/go-proxyproto |
| symbols: |
| - Listener.Accept |
| summary: Resource exhaustion in github.com/pires/go-proxyproto |
| description: |- |
| The PROXY protocol server does not impose a timeout on reading the header from |
| new connections, allowing a malicious client to cause resource exhaustion and a |
| denial of service by opening many connections and sending no data on them. |
| |
| v0.6.0 of the proxyproto package adds support for a user-defined header timeout. |
| v0.6.1 adds a default timeout of 200ms and v0.6.2 increases the default timeout |
| to 10s. |
| published: 2022-07-01T20:18:04Z |
| cves: |
| - CVE-2021-23409 |
| ghsas: |
| - GHSA-xcf7-q56x-78gh |
| references: |
| - fix: https://github.com/pires/go-proxyproto/pull/74 |
| - fix: https://github.com/pires/go-proxyproto/pull/74/commits/cdc63867da24fc609b727231f682670d0d1cd346 |
| - web: https://github.com/pires/go-proxyproto/issues/65 |
| review_status: REVIEWED |