| { |
| "schema_version": "1.3.1", |
| "id": "GO-2023-1571", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2022-41723", |
| "GHSA-vvpx-j8f3-3w6h" |
| ], |
| "summary": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net", |
| "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", |
| "affected": [ |
| { |
| "package": { |
| "name": "stdlib", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.19.6" |
| }, |
| { |
| "introduced": "1.20.0-0" |
| }, |
| { |
| "fixed": "1.20.1" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "net/http", |
| "symbols": [ |
| "Client.Do", |
| "Client.Get", |
| "Client.Head", |
| "Client.Post", |
| "Client.PostForm", |
| "Get", |
| "Head", |
| "ListenAndServe", |
| "ListenAndServeTLS", |
| "Post", |
| "PostForm", |
| "Serve", |
| "ServeTLS", |
| "Server.ListenAndServe", |
| "Server.ListenAndServeTLS", |
| "Server.Serve", |
| "Server.ServeTLS", |
| "Transport.RoundTrip" |
| ] |
| } |
| ] |
| } |
| }, |
| { |
| "package": { |
| "name": "golang.org/x/net", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "0.7.0" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "golang.org/x/net/http2", |
| "symbols": [ |
| "ClientConn.Close", |
| "ClientConn.Ping", |
| "ClientConn.RoundTrip", |
| "ClientConn.Shutdown", |
| "ConfigureServer", |
| "ConfigureTransport", |
| "ConfigureTransports", |
| "ConnectionError.Error", |
| "ErrCode.String", |
| "FrameHeader.String", |
| "FrameType.String", |
| "FrameWriteRequest.String", |
| "Framer.ReadFrame", |
| "Framer.WriteContinuation", |
| "Framer.WriteData", |
| "Framer.WriteDataPadded", |
| "Framer.WriteGoAway", |
| "Framer.WriteHeaders", |
| "Framer.WritePing", |
| "Framer.WritePriority", |
| "Framer.WritePushPromise", |
| "Framer.WriteRSTStream", |
| "Framer.WriteRawFrame", |
| "Framer.WriteSettings", |
| "Framer.WriteSettingsAck", |
| "Framer.WriteWindowUpdate", |
| "GoAwayError.Error", |
| "ReadFrameHeader", |
| "Server.ServeConn", |
| "Setting.String", |
| "SettingID.String", |
| "SettingsFrame.ForeachSetting", |
| "StreamError.Error", |
| "Transport.CloseIdleConnections", |
| "Transport.NewClientConn", |
| "Transport.RoundTrip", |
| "Transport.RoundTripOpt", |
| "bufferedWriter.Flush", |
| "bufferedWriter.Write", |
| "chunkWriter.Write", |
| "clientConnPool.GetClientConn", |
| "connError.Error", |
| "dataBuffer.Read", |
| "duplicatePseudoHeaderError.Error", |
| "gzipReader.Close", |
| "gzipReader.Read", |
| "headerFieldNameError.Error", |
| "headerFieldValueError.Error", |
| "noDialClientConnPool.GetClientConn", |
| "noDialH2RoundTripper.RoundTrip", |
| "pipe.Read", |
| "priorityWriteScheduler.CloseStream", |
| "priorityWriteScheduler.OpenStream", |
| "pseudoHeaderError.Error", |
| "requestBody.Close", |
| "requestBody.Read", |
| "responseWriter.Flush", |
| "responseWriter.FlushError", |
| "responseWriter.Push", |
| "responseWriter.SetReadDeadline", |
| "responseWriter.SetWriteDeadline", |
| "responseWriter.Write", |
| "responseWriter.WriteHeader", |
| "responseWriter.WriteString", |
| "serverConn.CloseConn", |
| "serverConn.Flush", |
| "stickyErrWriter.Write", |
| "transportResponseBody.Close", |
| "transportResponseBody.Read", |
| "writeData.String" |
| ] |
| }, |
| { |
| "path": "golang.org/x/net/http2/hpack", |
| "symbols": [ |
| "Decoder.DecodeFull", |
| "Decoder.Write", |
| "Decoder.parseFieldLiteral", |
| "Decoder.readString" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "REPORT", |
| "url": "https://go.dev/issue/57855" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://go.dev/cl/468135" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://go.dev/cl/468295" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" |
| } |
| ], |
| "credits": [ |
| { |
| "name": "Philippe Antoine (Catena cyber)" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2023-1571", |
| "review_status": "REVIEWED" |
| } |
| } |