blob: 8f8e3f7122baa008cae8c9faec9d166f98674d9c [file] [log] [blame]
id: GO-2024-2687
modules:
- module: std
versions:
- fixed: 1.21.9
- introduced: 1.22.0-0
- fixed: 1.22.2
vulnerable_at: 1.22.1
packages:
- package: net/http
symbols:
- http2Framer.readMetaFrame
derived_symbols:
- CanonicalHeaderKey
- Client.CloseIdleConnections
- Client.Do
- Client.Get
- Client.Head
- Client.Post
- Client.PostForm
- Cookie.String
- Cookie.Valid
- Dir.Open
- Error
- Get
- HandlerFunc.ServeHTTP
- Head
- Header.Add
- Header.Del
- Header.Get
- Header.Set
- Header.Values
- Header.Write
- Header.WriteSubset
- ListenAndServe
- ListenAndServeTLS
- NewRequest
- NewRequestWithContext
- NotFound
- ParseTime
- Post
- PostForm
- ProxyFromEnvironment
- ReadRequest
- ReadResponse
- Redirect
- Request.AddCookie
- Request.BasicAuth
- Request.FormFile
- Request.FormValue
- Request.MultipartReader
- Request.ParseForm
- Request.ParseMultipartForm
- Request.PostFormValue
- Request.Referer
- Request.SetBasicAuth
- Request.UserAgent
- Request.Write
- Request.WriteProxy
- Response.Cookies
- Response.Location
- Response.Write
- ResponseController.EnableFullDuplex
- ResponseController.Flush
- ResponseController.Hijack
- ResponseController.SetReadDeadline
- ResponseController.SetWriteDeadline
- Serve
- ServeContent
- ServeFile
- ServeMux.ServeHTTP
- ServeTLS
- Server.Close
- Server.ListenAndServe
- Server.ListenAndServeTLS
- Server.Serve
- Server.ServeTLS
- Server.SetKeepAlivesEnabled
- Server.Shutdown
- SetCookie
- Transport.CancelRequest
- Transport.Clone
- Transport.CloseIdleConnections
- Transport.RoundTrip
- body.Close
- body.Read
- bodyEOFSignal.Close
- bodyEOFSignal.Read
- bodyLocked.Read
- bufioFlushWriter.Write
- cancelTimerBody.Close
- cancelTimerBody.Read
- checkConnErrorWriter.Write
- chunkWriter.Write
- connReader.Read
- connectMethodKey.String
- expectContinueReader.Close
- expectContinueReader.Read
- extraHeader.Write
- fileHandler.ServeHTTP
- fileTransport.RoundTrip
- globalOptionsHandler.ServeHTTP
- gzipReader.Close
- gzipReader.Read
- http2ClientConn.Close
- http2ClientConn.Ping
- http2ClientConn.RoundTrip
- http2ClientConn.Shutdown
- http2ConnectionError.Error
- http2ErrCode.String
- http2FrameHeader.String
- http2FrameType.String
- http2FrameWriteRequest.String
- http2Framer.ReadFrame
- http2Framer.WriteContinuation
- http2Framer.WriteData
- http2Framer.WriteDataPadded
- http2Framer.WriteGoAway
- http2Framer.WriteHeaders
- http2Framer.WritePing
- http2Framer.WritePriority
- http2Framer.WritePushPromise
- http2Framer.WriteRSTStream
- http2Framer.WriteRawFrame
- http2Framer.WriteSettings
- http2Framer.WriteSettingsAck
- http2Framer.WriteWindowUpdate
- http2GoAwayError.Error
- http2Server.ServeConn
- http2Setting.String
- http2SettingID.String
- http2SettingsFrame.ForeachSetting
- http2StreamError.Error
- http2Transport.CloseIdleConnections
- http2Transport.NewClientConn
- http2Transport.RoundTrip
- http2Transport.RoundTripOpt
- http2bufferedWriter.Flush
- http2bufferedWriter.Write
- http2chunkWriter.Write
- http2clientConnPool.GetClientConn
- http2connError.Error
- http2dataBuffer.Read
- http2duplicatePseudoHeaderError.Error
- http2gzipReader.Close
- http2gzipReader.Read
- http2headerFieldNameError.Error
- http2headerFieldValueError.Error
- http2noDialClientConnPool.GetClientConn
- http2noDialH2RoundTripper.RoundTrip
- http2pipe.Read
- http2priorityWriteScheduler.CloseStream
- http2priorityWriteScheduler.OpenStream
- http2pseudoHeaderError.Error
- http2requestBody.Close
- http2requestBody.Read
- http2responseWriter.Flush
- http2responseWriter.FlushError
- http2responseWriter.Push
- http2responseWriter.SetReadDeadline
- http2responseWriter.SetWriteDeadline
- http2responseWriter.Write
- http2responseWriter.WriteHeader
- http2responseWriter.WriteString
- http2roundRobinWriteScheduler.OpenStream
- http2serverConn.CloseConn
- http2serverConn.Flush
- http2stickyErrWriter.Write
- http2transportResponseBody.Close
- http2transportResponseBody.Read
- http2writeData.String
- initALPNRequest.ServeHTTP
- loggingConn.Close
- loggingConn.Read
- loggingConn.Write
- maxBytesReader.Close
- maxBytesReader.Read
- onceCloseListener.Close
- persistConn.Read
- persistConnWriter.ReadFrom
- persistConnWriter.Write
- populateResponse.Write
- populateResponse.WriteHeader
- readTrackingBody.Close
- readTrackingBody.Read
- readWriteCloserBody.Read
- redirectHandler.ServeHTTP
- response.Flush
- response.FlushError
- response.Hijack
- response.ReadFrom
- response.Write
- response.WriteHeader
- response.WriteString
- serverHandler.ServeHTTP
- socksDialer.DialWithConn
- socksUsernamePassword.Authenticate
- stringWriter.WriteString
- timeoutHandler.ServeHTTP
- timeoutWriter.Write
- timeoutWriter.WriteHeader
- transportReadFromServerError.Error
- module: golang.org/x/net
versions:
- fixed: 0.23.0
vulnerable_at: 0.22.0
packages:
- package: golang.org/x/net/http2
symbols:
- Framer.readMetaFrame
derived_symbols:
- ClientConn.Close
- ClientConn.Ping
- ClientConn.RoundTrip
- ClientConn.Shutdown
- ConfigureServer
- ConfigureTransport
- ConfigureTransports
- ConnectionError.Error
- ErrCode.String
- FrameHeader.String
- FrameType.String
- FrameWriteRequest.String
- Framer.ReadFrame
- Framer.WriteContinuation
- Framer.WriteData
- Framer.WriteDataPadded
- Framer.WriteGoAway
- Framer.WriteHeaders
- Framer.WritePing
- Framer.WritePriority
- Framer.WritePushPromise
- Framer.WriteRSTStream
- Framer.WriteRawFrame
- Framer.WriteSettings
- Framer.WriteSettingsAck
- Framer.WriteWindowUpdate
- GoAwayError.Error
- ReadFrameHeader
- Server.ServeConn
- Setting.String
- SettingID.String
- SettingsFrame.ForeachSetting
- StreamError.Error
- Transport.CloseIdleConnections
- Transport.NewClientConn
- Transport.RoundTrip
- Transport.RoundTripOpt
- bufferedWriter.Flush
- bufferedWriter.Write
- chunkWriter.Write
- clientConnPool.GetClientConn
- connError.Error
- dataBuffer.Read
- duplicatePseudoHeaderError.Error
- gzipReader.Close
- gzipReader.Read
- headerFieldNameError.Error
- headerFieldValueError.Error
- noDialClientConnPool.GetClientConn
- noDialH2RoundTripper.RoundTrip
- pipe.Read
- priorityWriteScheduler.CloseStream
- priorityWriteScheduler.OpenStream
- pseudoHeaderError.Error
- requestBody.Close
- requestBody.Read
- responseWriter.Flush
- responseWriter.FlushError
- responseWriter.Push
- responseWriter.SetReadDeadline
- responseWriter.SetWriteDeadline
- responseWriter.Write
- responseWriter.WriteHeader
- responseWriter.WriteString
- roundRobinWriteScheduler.OpenStream
- serverConn.CloseConn
- serverConn.Flush
- stickyErrWriter.Write
- transportResponseBody.Close
- transportResponseBody.Read
- writeData.String
summary: HTTP/2 CONTINUATION flood in net/http
description: |-
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header
data by sending an excessive number of CONTINUATION frames.
Maintaining HPACK state requires parsing and processing all HEADERS and
CONTINUATION frames on a connection. When a request's headers exceed
MaxHeaderBytes, no memory is allocated to store the excess headers, but they are
still parsed.
This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts
of header data, all associated with a request which is going to be rejected.
These headers can include Huffman-encoded data which is significantly more
expensive for the receiver to decode than for an attacker to send.
The fix sets a limit on the amount of excess header frames we will process
before closing a connection.
ghsas:
- GHSA-4v7x-pqxf-cx7m
credits:
- Bartek Nowotarski (https://nowotarski.info/)
references:
- report: https://go.dev/issue/65051
- fix: https://go.dev/cl/576155
- web: https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
cve_metadata:
id: CVE-2023-45288
cwe: 'CWE-400: Uncontrolled Resource Consumption'
references:
- https://security.netapp.com/advisory/ntap-20240419-0009/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/
- http://www.openwall.com/lists/oss-security/2024/04/05/4
- http://www.openwall.com/lists/oss-security/2024/04/03/16
review_status: REVIEWED