| id: GO-2021-0172 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.6.4 |
| - introduced: 1.7.0-0 |
| fixed: 1.7.4 |
| vulnerable_at: 1.7.3 |
| packages: |
| - package: mime/multipart |
| symbols: |
| - Reader.readForm |
| skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)' |
| summary: Denial of service when parsing large forms in mime/multipart |
| description: |- |
| When parsing large multipart/form-data, an attacker can cause a HTTP server to |
| open a large number of file descriptors. This may be used as a denial-of-service |
| vector. |
| published: 2022-02-15T23:56:14Z |
| cves: |
| - CVE-2017-1000098 |
| credits: |
| - Simon Rawet |
| references: |
| - fix: https://go.dev/cl/30410 |
| - fix: https://go.googlesource.com/go/+/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184 |
| - report: https://go.dev/issue/16296 |
| - web: https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ |
| review_status: REVIEWED |