blob: caa540ca3045012ada8fe083b4e3895cedc0f1b1 [file] [log] [blame]
id: GO-2021-0172
modules:
- module: std
versions:
- fixed: 1.6.4
- introduced: 1.7.0-0
fixed: 1.7.4
vulnerable_at: 1.7.3
packages:
- package: mime/multipart
symbols:
- Reader.readForm
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
summary: Denial of service when parsing large forms in mime/multipart
description: |-
When parsing large multipart/form-data, an attacker can cause a HTTP server to
open a large number of file descriptors. This may be used as a denial-of-service
vector.
published: 2022-02-15T23:56:14Z
cves:
- CVE-2017-1000098
credits:
- Simon Rawet
references:
- fix: https://go.dev/cl/30410
- fix: https://go.googlesource.com/go/+/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
- report: https://go.dev/issue/16296
- web: https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ
review_status: REVIEWED