data/reports: add GO-2024-2687
Aliases: CVE-2023-45288
Updates golang/vulndb#2687
Change-Id: Idb607a27b190e11812a63eff20f83720656a3df5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576216
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/cve/v5/GO-2024-2687.json b/data/cve/v5/GO-2024-2687.json
new file mode 100644
index 0000000..e1082ac
--- /dev/null
+++ b/data/cve/v5/GO-2024-2687.json
@@ -0,0 +1,879 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2023-45288"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "title": "HTTP/2 CONTINUATION flood in net/http",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "Go standard library",
+ "product": "net/http",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "net/http",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.21.9",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.22.0-0",
+ "lessThan": "1.22.2",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "http2Framer.readMetaFrame"
+ },
+ {
+ "name": "CanonicalHeaderKey"
+ },
+ {
+ "name": "Client.CloseIdleConnections"
+ },
+ {
+ "name": "Client.Do"
+ },
+ {
+ "name": "Client.Get"
+ },
+ {
+ "name": "Client.Head"
+ },
+ {
+ "name": "Client.Post"
+ },
+ {
+ "name": "Client.PostForm"
+ },
+ {
+ "name": "Cookie.String"
+ },
+ {
+ "name": "Cookie.Valid"
+ },
+ {
+ "name": "Dir.Open"
+ },
+ {
+ "name": "Error"
+ },
+ {
+ "name": "Get"
+ },
+ {
+ "name": "HandlerFunc.ServeHTTP"
+ },
+ {
+ "name": "Head"
+ },
+ {
+ "name": "Header.Add"
+ },
+ {
+ "name": "Header.Del"
+ },
+ {
+ "name": "Header.Get"
+ },
+ {
+ "name": "Header.Set"
+ },
+ {
+ "name": "Header.Values"
+ },
+ {
+ "name": "Header.Write"
+ },
+ {
+ "name": "Header.WriteSubset"
+ },
+ {
+ "name": "ListenAndServe"
+ },
+ {
+ "name": "ListenAndServeTLS"
+ },
+ {
+ "name": "NewRequest"
+ },
+ {
+ "name": "NewRequestWithContext"
+ },
+ {
+ "name": "NotFound"
+ },
+ {
+ "name": "ParseTime"
+ },
+ {
+ "name": "Post"
+ },
+ {
+ "name": "PostForm"
+ },
+ {
+ "name": "ProxyFromEnvironment"
+ },
+ {
+ "name": "ReadRequest"
+ },
+ {
+ "name": "ReadResponse"
+ },
+ {
+ "name": "Redirect"
+ },
+ {
+ "name": "Request.AddCookie"
+ },
+ {
+ "name": "Request.BasicAuth"
+ },
+ {
+ "name": "Request.FormFile"
+ },
+ {
+ "name": "Request.FormValue"
+ },
+ {
+ "name": "Request.MultipartReader"
+ },
+ {
+ "name": "Request.ParseForm"
+ },
+ {
+ "name": "Request.ParseMultipartForm"
+ },
+ {
+ "name": "Request.PostFormValue"
+ },
+ {
+ "name": "Request.Referer"
+ },
+ {
+ "name": "Request.SetBasicAuth"
+ },
+ {
+ "name": "Request.UserAgent"
+ },
+ {
+ "name": "Request.Write"
+ },
+ {
+ "name": "Request.WriteProxy"
+ },
+ {
+ "name": "Response.Cookies"
+ },
+ {
+ "name": "Response.Location"
+ },
+ {
+ "name": "Response.Write"
+ },
+ {
+ "name": "ResponseController.EnableFullDuplex"
+ },
+ {
+ "name": "ResponseController.Flush"
+ },
+ {
+ "name": "ResponseController.Hijack"
+ },
+ {
+ "name": "ResponseController.SetReadDeadline"
+ },
+ {
+ "name": "ResponseController.SetWriteDeadline"
+ },
+ {
+ "name": "Serve"
+ },
+ {
+ "name": "ServeContent"
+ },
+ {
+ "name": "ServeFile"
+ },
+ {
+ "name": "ServeMux.ServeHTTP"
+ },
+ {
+ "name": "ServeTLS"
+ },
+ {
+ "name": "Server.Close"
+ },
+ {
+ "name": "Server.ListenAndServe"
+ },
+ {
+ "name": "Server.ListenAndServeTLS"
+ },
+ {
+ "name": "Server.Serve"
+ },
+ {
+ "name": "Server.ServeTLS"
+ },
+ {
+ "name": "Server.SetKeepAlivesEnabled"
+ },
+ {
+ "name": "Server.Shutdown"
+ },
+ {
+ "name": "SetCookie"
+ },
+ {
+ "name": "Transport.CancelRequest"
+ },
+ {
+ "name": "Transport.Clone"
+ },
+ {
+ "name": "Transport.CloseIdleConnections"
+ },
+ {
+ "name": "Transport.RoundTrip"
+ },
+ {
+ "name": "body.Close"
+ },
+ {
+ "name": "body.Read"
+ },
+ {
+ "name": "bodyEOFSignal.Close"
+ },
+ {
+ "name": "bodyEOFSignal.Read"
+ },
+ {
+ "name": "bodyLocked.Read"
+ },
+ {
+ "name": "bufioFlushWriter.Write"
+ },
+ {
+ "name": "cancelTimerBody.Close"
+ },
+ {
+ "name": "cancelTimerBody.Read"
+ },
+ {
+ "name": "checkConnErrorWriter.Write"
+ },
+ {
+ "name": "chunkWriter.Write"
+ },
+ {
+ "name": "connReader.Read"
+ },
+ {
+ "name": "connectMethodKey.String"
+ },
+ {
+ "name": "expectContinueReader.Close"
+ },
+ {
+ "name": "expectContinueReader.Read"
+ },
+ {
+ "name": "extraHeader.Write"
+ },
+ {
+ "name": "fileHandler.ServeHTTP"
+ },
+ {
+ "name": "fileTransport.RoundTrip"
+ },
+ {
+ "name": "globalOptionsHandler.ServeHTTP"
+ },
+ {
+ "name": "gzipReader.Close"
+ },
+ {
+ "name": "gzipReader.Read"
+ },
+ {
+ "name": "http2ClientConn.Close"
+ },
+ {
+ "name": "http2ClientConn.Ping"
+ },
+ {
+ "name": "http2ClientConn.RoundTrip"
+ },
+ {
+ "name": "http2ClientConn.Shutdown"
+ },
+ {
+ "name": "http2ConnectionError.Error"
+ },
+ {
+ "name": "http2ErrCode.String"
+ },
+ {
+ "name": "http2FrameHeader.String"
+ },
+ {
+ "name": "http2FrameType.String"
+ },
+ {
+ "name": "http2FrameWriteRequest.String"
+ },
+ {
+ "name": "http2Framer.ReadFrame"
+ },
+ {
+ "name": "http2Framer.WriteContinuation"
+ },
+ {
+ "name": "http2Framer.WriteData"
+ },
+ {
+ "name": "http2Framer.WriteDataPadded"
+ },
+ {
+ "name": "http2Framer.WriteGoAway"
+ },
+ {
+ "name": "http2Framer.WriteHeaders"
+ },
+ {
+ "name": "http2Framer.WritePing"
+ },
+ {
+ "name": "http2Framer.WritePriority"
+ },
+ {
+ "name": "http2Framer.WritePushPromise"
+ },
+ {
+ "name": "http2Framer.WriteRSTStream"
+ },
+ {
+ "name": "http2Framer.WriteRawFrame"
+ },
+ {
+ "name": "http2Framer.WriteSettings"
+ },
+ {
+ "name": "http2Framer.WriteSettingsAck"
+ },
+ {
+ "name": "http2Framer.WriteWindowUpdate"
+ },
+ {
+ "name": "http2GoAwayError.Error"
+ },
+ {
+ "name": "http2Server.ServeConn"
+ },
+ {
+ "name": "http2Setting.String"
+ },
+ {
+ "name": "http2SettingID.String"
+ },
+ {
+ "name": "http2SettingsFrame.ForeachSetting"
+ },
+ {
+ "name": "http2StreamError.Error"
+ },
+ {
+ "name": "http2Transport.CloseIdleConnections"
+ },
+ {
+ "name": "http2Transport.NewClientConn"
+ },
+ {
+ "name": "http2Transport.RoundTrip"
+ },
+ {
+ "name": "http2Transport.RoundTripOpt"
+ },
+ {
+ "name": "http2bufferedWriter.Flush"
+ },
+ {
+ "name": "http2bufferedWriter.Write"
+ },
+ {
+ "name": "http2chunkWriter.Write"
+ },
+ {
+ "name": "http2clientConnPool.GetClientConn"
+ },
+ {
+ "name": "http2connError.Error"
+ },
+ {
+ "name": "http2dataBuffer.Read"
+ },
+ {
+ "name": "http2duplicatePseudoHeaderError.Error"
+ },
+ {
+ "name": "http2gzipReader.Close"
+ },
+ {
+ "name": "http2gzipReader.Read"
+ },
+ {
+ "name": "http2headerFieldNameError.Error"
+ },
+ {
+ "name": "http2headerFieldValueError.Error"
+ },
+ {
+ "name": "http2noDialClientConnPool.GetClientConn"
+ },
+ {
+ "name": "http2noDialH2RoundTripper.RoundTrip"
+ },
+ {
+ "name": "http2pipe.Read"
+ },
+ {
+ "name": "http2priorityWriteScheduler.CloseStream"
+ },
+ {
+ "name": "http2priorityWriteScheduler.OpenStream"
+ },
+ {
+ "name": "http2pseudoHeaderError.Error"
+ },
+ {
+ "name": "http2requestBody.Close"
+ },
+ {
+ "name": "http2requestBody.Read"
+ },
+ {
+ "name": "http2responseWriter.Flush"
+ },
+ {
+ "name": "http2responseWriter.FlushError"
+ },
+ {
+ "name": "http2responseWriter.Push"
+ },
+ {
+ "name": "http2responseWriter.SetReadDeadline"
+ },
+ {
+ "name": "http2responseWriter.SetWriteDeadline"
+ },
+ {
+ "name": "http2responseWriter.Write"
+ },
+ {
+ "name": "http2responseWriter.WriteHeader"
+ },
+ {
+ "name": "http2responseWriter.WriteString"
+ },
+ {
+ "name": "http2roundRobinWriteScheduler.OpenStream"
+ },
+ {
+ "name": "http2serverConn.CloseConn"
+ },
+ {
+ "name": "http2serverConn.Flush"
+ },
+ {
+ "name": "http2stickyErrWriter.Write"
+ },
+ {
+ "name": "http2transportResponseBody.Close"
+ },
+ {
+ "name": "http2transportResponseBody.Read"
+ },
+ {
+ "name": "http2writeData.String"
+ },
+ {
+ "name": "initALPNRequest.ServeHTTP"
+ },
+ {
+ "name": "loggingConn.Close"
+ },
+ {
+ "name": "loggingConn.Read"
+ },
+ {
+ "name": "loggingConn.Write"
+ },
+ {
+ "name": "maxBytesReader.Close"
+ },
+ {
+ "name": "maxBytesReader.Read"
+ },
+ {
+ "name": "onceCloseListener.Close"
+ },
+ {
+ "name": "persistConn.Read"
+ },
+ {
+ "name": "persistConnWriter.ReadFrom"
+ },
+ {
+ "name": "persistConnWriter.Write"
+ },
+ {
+ "name": "populateResponse.Write"
+ },
+ {
+ "name": "populateResponse.WriteHeader"
+ },
+ {
+ "name": "readTrackingBody.Close"
+ },
+ {
+ "name": "readTrackingBody.Read"
+ },
+ {
+ "name": "readWriteCloserBody.Read"
+ },
+ {
+ "name": "redirectHandler.ServeHTTP"
+ },
+ {
+ "name": "response.Flush"
+ },
+ {
+ "name": "response.FlushError"
+ },
+ {
+ "name": "response.Hijack"
+ },
+ {
+ "name": "response.ReadFrom"
+ },
+ {
+ "name": "response.Write"
+ },
+ {
+ "name": "response.WriteHeader"
+ },
+ {
+ "name": "response.WriteString"
+ },
+ {
+ "name": "serverHandler.ServeHTTP"
+ },
+ {
+ "name": "socksDialer.DialWithConn"
+ },
+ {
+ "name": "socksUsernamePassword.Authenticate"
+ },
+ {
+ "name": "stringWriter.WriteString"
+ },
+ {
+ "name": "timeoutHandler.ServeHTTP"
+ },
+ {
+ "name": "timeoutWriter.Write"
+ },
+ {
+ "name": "timeoutWriter.WriteHeader"
+ },
+ {
+ "name": "transportReadFromServerError.Error"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ },
+ {
+ "vendor": "golang.org/x/net",
+ "product": "golang.org/x/net/http2",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "golang.org/x/net/http2",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "0.23.0",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Framer.readMetaFrame"
+ },
+ {
+ "name": "ClientConn.Close"
+ },
+ {
+ "name": "ClientConn.Ping"
+ },
+ {
+ "name": "ClientConn.RoundTrip"
+ },
+ {
+ "name": "ClientConn.Shutdown"
+ },
+ {
+ "name": "ConfigureServer"
+ },
+ {
+ "name": "ConfigureTransport"
+ },
+ {
+ "name": "ConfigureTransports"
+ },
+ {
+ "name": "ConnectionError.Error"
+ },
+ {
+ "name": "ErrCode.String"
+ },
+ {
+ "name": "FrameHeader.String"
+ },
+ {
+ "name": "FrameType.String"
+ },
+ {
+ "name": "FrameWriteRequest.String"
+ },
+ {
+ "name": "Framer.ReadFrame"
+ },
+ {
+ "name": "Framer.WriteContinuation"
+ },
+ {
+ "name": "Framer.WriteData"
+ },
+ {
+ "name": "Framer.WriteDataPadded"
+ },
+ {
+ "name": "Framer.WriteGoAway"
+ },
+ {
+ "name": "Framer.WriteHeaders"
+ },
+ {
+ "name": "Framer.WritePing"
+ },
+ {
+ "name": "Framer.WritePriority"
+ },
+ {
+ "name": "Framer.WritePushPromise"
+ },
+ {
+ "name": "Framer.WriteRSTStream"
+ },
+ {
+ "name": "Framer.WriteRawFrame"
+ },
+ {
+ "name": "Framer.WriteSettings"
+ },
+ {
+ "name": "Framer.WriteSettingsAck"
+ },
+ {
+ "name": "Framer.WriteWindowUpdate"
+ },
+ {
+ "name": "GoAwayError.Error"
+ },
+ {
+ "name": "ReadFrameHeader"
+ },
+ {
+ "name": "Server.ServeConn"
+ },
+ {
+ "name": "Setting.String"
+ },
+ {
+ "name": "SettingID.String"
+ },
+ {
+ "name": "SettingsFrame.ForeachSetting"
+ },
+ {
+ "name": "StreamError.Error"
+ },
+ {
+ "name": "Transport.CloseIdleConnections"
+ },
+ {
+ "name": "Transport.NewClientConn"
+ },
+ {
+ "name": "Transport.RoundTrip"
+ },
+ {
+ "name": "Transport.RoundTripOpt"
+ },
+ {
+ "name": "bufferedWriter.Flush"
+ },
+ {
+ "name": "bufferedWriter.Write"
+ },
+ {
+ "name": "chunkWriter.Write"
+ },
+ {
+ "name": "clientConnPool.GetClientConn"
+ },
+ {
+ "name": "connError.Error"
+ },
+ {
+ "name": "dataBuffer.Read"
+ },
+ {
+ "name": "duplicatePseudoHeaderError.Error"
+ },
+ {
+ "name": "gzipReader.Close"
+ },
+ {
+ "name": "gzipReader.Read"
+ },
+ {
+ "name": "headerFieldNameError.Error"
+ },
+ {
+ "name": "headerFieldValueError.Error"
+ },
+ {
+ "name": "noDialClientConnPool.GetClientConn"
+ },
+ {
+ "name": "noDialH2RoundTripper.RoundTrip"
+ },
+ {
+ "name": "pipe.Read"
+ },
+ {
+ "name": "priorityWriteScheduler.CloseStream"
+ },
+ {
+ "name": "priorityWriteScheduler.OpenStream"
+ },
+ {
+ "name": "pseudoHeaderError.Error"
+ },
+ {
+ "name": "requestBody.Close"
+ },
+ {
+ "name": "requestBody.Read"
+ },
+ {
+ "name": "responseWriter.Flush"
+ },
+ {
+ "name": "responseWriter.FlushError"
+ },
+ {
+ "name": "responseWriter.Push"
+ },
+ {
+ "name": "responseWriter.SetReadDeadline"
+ },
+ {
+ "name": "responseWriter.SetWriteDeadline"
+ },
+ {
+ "name": "responseWriter.Write"
+ },
+ {
+ "name": "responseWriter.WriteHeader"
+ },
+ {
+ "name": "responseWriter.WriteString"
+ },
+ {
+ "name": "roundRobinWriteScheduler.OpenStream"
+ },
+ {
+ "name": "serverConn.CloseConn"
+ },
+ {
+ "name": "serverConn.Flush"
+ },
+ {
+ "name": "stickyErrWriter.Write"
+ },
+ {
+ "name": "transportResponseBody.Close"
+ },
+ {
+ "name": "transportResponseBody.Read"
+ },
+ {
+ "name": "writeData.String"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/issue/65051"
+ },
+ {
+ "url": "https://go.dev/cl/576155"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
+ },
+ {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2687"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Bartek Nowotarski (https://nowotarski.info/)"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-2687.json b/data/osv/GO-2024-2687.json
new file mode 100644
index 0000000..145ba00
--- /dev/null
+++ b/data/osv/GO-2024-2687.json
@@ -0,0 +1,359 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2687",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2023-45288"
+ ],
+ "summary": "HTTP/2 CONTINUATION flood in net/http",
+ "details": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.\n\nMaintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.\n\nThis permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.\n\nThe fix sets a limit on the amount of excess header frames we will process before closing a connection.",
+ "affected": [
+ {
+ "package": {
+ "name": "stdlib",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.21.9"
+ },
+ {
+ "introduced": "1.22.0-0"
+ },
+ {
+ "fixed": "1.22.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "net/http",
+ "symbols": [
+ "CanonicalHeaderKey",
+ "Client.CloseIdleConnections",
+ "Client.Do",
+ "Client.Get",
+ "Client.Head",
+ "Client.Post",
+ "Client.PostForm",
+ "Cookie.String",
+ "Cookie.Valid",
+ "Dir.Open",
+ "Error",
+ "Get",
+ "HandlerFunc.ServeHTTP",
+ "Head",
+ "Header.Add",
+ "Header.Del",
+ "Header.Get",
+ "Header.Set",
+ "Header.Values",
+ "Header.Write",
+ "Header.WriteSubset",
+ "ListenAndServe",
+ "ListenAndServeTLS",
+ "NewRequest",
+ "NewRequestWithContext",
+ "NotFound",
+ "ParseTime",
+ "Post",
+ "PostForm",
+ "ProxyFromEnvironment",
+ "ReadRequest",
+ "ReadResponse",
+ "Redirect",
+ "Request.AddCookie",
+ "Request.BasicAuth",
+ "Request.FormFile",
+ "Request.FormValue",
+ "Request.MultipartReader",
+ "Request.ParseForm",
+ "Request.ParseMultipartForm",
+ "Request.PostFormValue",
+ "Request.Referer",
+ "Request.SetBasicAuth",
+ "Request.UserAgent",
+ "Request.Write",
+ "Request.WriteProxy",
+ "Response.Cookies",
+ "Response.Location",
+ "Response.Write",
+ "ResponseController.EnableFullDuplex",
+ "ResponseController.Flush",
+ "ResponseController.Hijack",
+ "ResponseController.SetReadDeadline",
+ "ResponseController.SetWriteDeadline",
+ "Serve",
+ "ServeContent",
+ "ServeFile",
+ "ServeMux.ServeHTTP",
+ "ServeTLS",
+ "Server.Close",
+ "Server.ListenAndServe",
+ "Server.ListenAndServeTLS",
+ "Server.Serve",
+ "Server.ServeTLS",
+ "Server.SetKeepAlivesEnabled",
+ "Server.Shutdown",
+ "SetCookie",
+ "Transport.CancelRequest",
+ "Transport.Clone",
+ "Transport.CloseIdleConnections",
+ "Transport.RoundTrip",
+ "body.Close",
+ "body.Read",
+ "bodyEOFSignal.Close",
+ "bodyEOFSignal.Read",
+ "bodyLocked.Read",
+ "bufioFlushWriter.Write",
+ "cancelTimerBody.Close",
+ "cancelTimerBody.Read",
+ "checkConnErrorWriter.Write",
+ "chunkWriter.Write",
+ "connReader.Read",
+ "connectMethodKey.String",
+ "expectContinueReader.Close",
+ "expectContinueReader.Read",
+ "extraHeader.Write",
+ "fileHandler.ServeHTTP",
+ "fileTransport.RoundTrip",
+ "globalOptionsHandler.ServeHTTP",
+ "gzipReader.Close",
+ "gzipReader.Read",
+ "http2ClientConn.Close",
+ "http2ClientConn.Ping",
+ "http2ClientConn.RoundTrip",
+ "http2ClientConn.Shutdown",
+ "http2ConnectionError.Error",
+ "http2ErrCode.String",
+ "http2FrameHeader.String",
+ "http2FrameType.String",
+ "http2FrameWriteRequest.String",
+ "http2Framer.ReadFrame",
+ "http2Framer.WriteContinuation",
+ "http2Framer.WriteData",
+ "http2Framer.WriteDataPadded",
+ "http2Framer.WriteGoAway",
+ "http2Framer.WriteHeaders",
+ "http2Framer.WritePing",
+ "http2Framer.WritePriority",
+ "http2Framer.WritePushPromise",
+ "http2Framer.WriteRSTStream",
+ "http2Framer.WriteRawFrame",
+ "http2Framer.WriteSettings",
+ "http2Framer.WriteSettingsAck",
+ "http2Framer.WriteWindowUpdate",
+ "http2Framer.readMetaFrame",
+ "http2GoAwayError.Error",
+ "http2Server.ServeConn",
+ "http2Setting.String",
+ "http2SettingID.String",
+ "http2SettingsFrame.ForeachSetting",
+ "http2StreamError.Error",
+ "http2Transport.CloseIdleConnections",
+ "http2Transport.NewClientConn",
+ "http2Transport.RoundTrip",
+ "http2Transport.RoundTripOpt",
+ "http2bufferedWriter.Flush",
+ "http2bufferedWriter.Write",
+ "http2chunkWriter.Write",
+ "http2clientConnPool.GetClientConn",
+ "http2connError.Error",
+ "http2dataBuffer.Read",
+ "http2duplicatePseudoHeaderError.Error",
+ "http2gzipReader.Close",
+ "http2gzipReader.Read",
+ "http2headerFieldNameError.Error",
+ "http2headerFieldValueError.Error",
+ "http2noDialClientConnPool.GetClientConn",
+ "http2noDialH2RoundTripper.RoundTrip",
+ "http2pipe.Read",
+ "http2priorityWriteScheduler.CloseStream",
+ "http2priorityWriteScheduler.OpenStream",
+ "http2pseudoHeaderError.Error",
+ "http2requestBody.Close",
+ "http2requestBody.Read",
+ "http2responseWriter.Flush",
+ "http2responseWriter.FlushError",
+ "http2responseWriter.Push",
+ "http2responseWriter.SetReadDeadline",
+ "http2responseWriter.SetWriteDeadline",
+ "http2responseWriter.Write",
+ "http2responseWriter.WriteHeader",
+ "http2responseWriter.WriteString",
+ "http2roundRobinWriteScheduler.OpenStream",
+ "http2serverConn.CloseConn",
+ "http2serverConn.Flush",
+ "http2stickyErrWriter.Write",
+ "http2transportResponseBody.Close",
+ "http2transportResponseBody.Read",
+ "http2writeData.String",
+ "initALPNRequest.ServeHTTP",
+ "loggingConn.Close",
+ "loggingConn.Read",
+ "loggingConn.Write",
+ "maxBytesReader.Close",
+ "maxBytesReader.Read",
+ "onceCloseListener.Close",
+ "persistConn.Read",
+ "persistConnWriter.ReadFrom",
+ "persistConnWriter.Write",
+ "populateResponse.Write",
+ "populateResponse.WriteHeader",
+ "readTrackingBody.Close",
+ "readTrackingBody.Read",
+ "readWriteCloserBody.Read",
+ "redirectHandler.ServeHTTP",
+ "response.Flush",
+ "response.FlushError",
+ "response.Hijack",
+ "response.ReadFrom",
+ "response.Write",
+ "response.WriteHeader",
+ "response.WriteString",
+ "serverHandler.ServeHTTP",
+ "socksDialer.DialWithConn",
+ "socksUsernamePassword.Authenticate",
+ "stringWriter.WriteString",
+ "timeoutHandler.ServeHTTP",
+ "timeoutWriter.Write",
+ "timeoutWriter.WriteHeader",
+ "transportReadFromServerError.Error"
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "golang.org/x/net",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.23.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "golang.org/x/net/http2",
+ "symbols": [
+ "ClientConn.Close",
+ "ClientConn.Ping",
+ "ClientConn.RoundTrip",
+ "ClientConn.Shutdown",
+ "ConfigureServer",
+ "ConfigureTransport",
+ "ConfigureTransports",
+ "ConnectionError.Error",
+ "ErrCode.String",
+ "FrameHeader.String",
+ "FrameType.String",
+ "FrameWriteRequest.String",
+ "Framer.ReadFrame",
+ "Framer.WriteContinuation",
+ "Framer.WriteData",
+ "Framer.WriteDataPadded",
+ "Framer.WriteGoAway",
+ "Framer.WriteHeaders",
+ "Framer.WritePing",
+ "Framer.WritePriority",
+ "Framer.WritePushPromise",
+ "Framer.WriteRSTStream",
+ "Framer.WriteRawFrame",
+ "Framer.WriteSettings",
+ "Framer.WriteSettingsAck",
+ "Framer.WriteWindowUpdate",
+ "Framer.readMetaFrame",
+ "GoAwayError.Error",
+ "ReadFrameHeader",
+ "Server.ServeConn",
+ "Setting.String",
+ "SettingID.String",
+ "SettingsFrame.ForeachSetting",
+ "StreamError.Error",
+ "Transport.CloseIdleConnections",
+ "Transport.NewClientConn",
+ "Transport.RoundTrip",
+ "Transport.RoundTripOpt",
+ "bufferedWriter.Flush",
+ "bufferedWriter.Write",
+ "chunkWriter.Write",
+ "clientConnPool.GetClientConn",
+ "connError.Error",
+ "dataBuffer.Read",
+ "duplicatePseudoHeaderError.Error",
+ "gzipReader.Close",
+ "gzipReader.Read",
+ "headerFieldNameError.Error",
+ "headerFieldValueError.Error",
+ "noDialClientConnPool.GetClientConn",
+ "noDialH2RoundTripper.RoundTrip",
+ "pipe.Read",
+ "priorityWriteScheduler.CloseStream",
+ "priorityWriteScheduler.OpenStream",
+ "pseudoHeaderError.Error",
+ "requestBody.Close",
+ "requestBody.Read",
+ "responseWriter.Flush",
+ "responseWriter.FlushError",
+ "responseWriter.Push",
+ "responseWriter.SetReadDeadline",
+ "responseWriter.SetWriteDeadline",
+ "responseWriter.Write",
+ "responseWriter.WriteHeader",
+ "responseWriter.WriteString",
+ "roundRobinWriteScheduler.OpenStream",
+ "serverConn.CloseConn",
+ "serverConn.Flush",
+ "stickyErrWriter.Write",
+ "transportResponseBody.Close",
+ "transportResponseBody.Read",
+ "writeData.String"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "REPORT",
+ "url": "https://go.dev/issue/65051"
+ },
+ {
+ "type": "FIX",
+ "url": "https://go.dev/cl/576155"
+ },
+ {
+ "type": "WEB",
+ "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
+ }
+ ],
+ "credits": [
+ {
+ "name": "Bartek Nowotarski (https://nowotarski.info/)"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2687"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2687.yaml b/data/reports/GO-2024-2687.yaml
new file mode 100644
index 0000000..52c1db9
--- /dev/null
+++ b/data/reports/GO-2024-2687.yaml
@@ -0,0 +1,308 @@
+id: GO-2024-2687
+modules:
+ - module: std
+ versions:
+ - fixed: 1.21.9
+ - introduced: 1.22.0-0
+ fixed: 1.22.2
+ vulnerable_at: 1.22.1
+ packages:
+ - package: net/http
+ symbols:
+ - http2Framer.readMetaFrame
+ derived_symbols:
+ - CanonicalHeaderKey
+ - Client.CloseIdleConnections
+ - Client.Do
+ - Client.Get
+ - Client.Head
+ - Client.Post
+ - Client.PostForm
+ - Cookie.String
+ - Cookie.Valid
+ - Dir.Open
+ - Error
+ - Get
+ - HandlerFunc.ServeHTTP
+ - Head
+ - Header.Add
+ - Header.Del
+ - Header.Get
+ - Header.Set
+ - Header.Values
+ - Header.Write
+ - Header.WriteSubset
+ - ListenAndServe
+ - ListenAndServeTLS
+ - NewRequest
+ - NewRequestWithContext
+ - NotFound
+ - ParseTime
+ - Post
+ - PostForm
+ - ProxyFromEnvironment
+ - ReadRequest
+ - ReadResponse
+ - Redirect
+ - Request.AddCookie
+ - Request.BasicAuth
+ - Request.FormFile
+ - Request.FormValue
+ - Request.MultipartReader
+ - Request.ParseForm
+ - Request.ParseMultipartForm
+ - Request.PostFormValue
+ - Request.Referer
+ - Request.SetBasicAuth
+ - Request.UserAgent
+ - Request.Write
+ - Request.WriteProxy
+ - Response.Cookies
+ - Response.Location
+ - Response.Write
+ - ResponseController.EnableFullDuplex
+ - ResponseController.Flush
+ - ResponseController.Hijack
+ - ResponseController.SetReadDeadline
+ - ResponseController.SetWriteDeadline
+ - Serve
+ - ServeContent
+ - ServeFile
+ - ServeMux.ServeHTTP
+ - ServeTLS
+ - Server.Close
+ - Server.ListenAndServe
+ - Server.ListenAndServeTLS
+ - Server.Serve
+ - Server.ServeTLS
+ - Server.SetKeepAlivesEnabled
+ - Server.Shutdown
+ - SetCookie
+ - Transport.CancelRequest
+ - Transport.Clone
+ - Transport.CloseIdleConnections
+ - Transport.RoundTrip
+ - body.Close
+ - body.Read
+ - bodyEOFSignal.Close
+ - bodyEOFSignal.Read
+ - bodyLocked.Read
+ - bufioFlushWriter.Write
+ - cancelTimerBody.Close
+ - cancelTimerBody.Read
+ - checkConnErrorWriter.Write
+ - chunkWriter.Write
+ - connReader.Read
+ - connectMethodKey.String
+ - expectContinueReader.Close
+ - expectContinueReader.Read
+ - extraHeader.Write
+ - fileHandler.ServeHTTP
+ - fileTransport.RoundTrip
+ - globalOptionsHandler.ServeHTTP
+ - gzipReader.Close
+ - gzipReader.Read
+ - http2ClientConn.Close
+ - http2ClientConn.Ping
+ - http2ClientConn.RoundTrip
+ - http2ClientConn.Shutdown
+ - http2ConnectionError.Error
+ - http2ErrCode.String
+ - http2FrameHeader.String
+ - http2FrameType.String
+ - http2FrameWriteRequest.String
+ - http2Framer.ReadFrame
+ - http2Framer.WriteContinuation
+ - http2Framer.WriteData
+ - http2Framer.WriteDataPadded
+ - http2Framer.WriteGoAway
+ - http2Framer.WriteHeaders
+ - http2Framer.WritePing
+ - http2Framer.WritePriority
+ - http2Framer.WritePushPromise
+ - http2Framer.WriteRSTStream
+ - http2Framer.WriteRawFrame
+ - http2Framer.WriteSettings
+ - http2Framer.WriteSettingsAck
+ - http2Framer.WriteWindowUpdate
+ - http2GoAwayError.Error
+ - http2Server.ServeConn
+ - http2Setting.String
+ - http2SettingID.String
+ - http2SettingsFrame.ForeachSetting
+ - http2StreamError.Error
+ - http2Transport.CloseIdleConnections
+ - http2Transport.NewClientConn
+ - http2Transport.RoundTrip
+ - http2Transport.RoundTripOpt
+ - http2bufferedWriter.Flush
+ - http2bufferedWriter.Write
+ - http2chunkWriter.Write
+ - http2clientConnPool.GetClientConn
+ - http2connError.Error
+ - http2dataBuffer.Read
+ - http2duplicatePseudoHeaderError.Error
+ - http2gzipReader.Close
+ - http2gzipReader.Read
+ - http2headerFieldNameError.Error
+ - http2headerFieldValueError.Error
+ - http2noDialClientConnPool.GetClientConn
+ - http2noDialH2RoundTripper.RoundTrip
+ - http2pipe.Read
+ - http2priorityWriteScheduler.CloseStream
+ - http2priorityWriteScheduler.OpenStream
+ - http2pseudoHeaderError.Error
+ - http2requestBody.Close
+ - http2requestBody.Read
+ - http2responseWriter.Flush
+ - http2responseWriter.FlushError
+ - http2responseWriter.Push
+ - http2responseWriter.SetReadDeadline
+ - http2responseWriter.SetWriteDeadline
+ - http2responseWriter.Write
+ - http2responseWriter.WriteHeader
+ - http2responseWriter.WriteString
+ - http2roundRobinWriteScheduler.OpenStream
+ - http2serverConn.CloseConn
+ - http2serverConn.Flush
+ - http2stickyErrWriter.Write
+ - http2transportResponseBody.Close
+ - http2transportResponseBody.Read
+ - http2writeData.String
+ - initALPNRequest.ServeHTTP
+ - loggingConn.Close
+ - loggingConn.Read
+ - loggingConn.Write
+ - maxBytesReader.Close
+ - maxBytesReader.Read
+ - onceCloseListener.Close
+ - persistConn.Read
+ - persistConnWriter.ReadFrom
+ - persistConnWriter.Write
+ - populateResponse.Write
+ - populateResponse.WriteHeader
+ - readTrackingBody.Close
+ - readTrackingBody.Read
+ - readWriteCloserBody.Read
+ - redirectHandler.ServeHTTP
+ - response.Flush
+ - response.FlushError
+ - response.Hijack
+ - response.ReadFrom
+ - response.Write
+ - response.WriteHeader
+ - response.WriteString
+ - serverHandler.ServeHTTP
+ - socksDialer.DialWithConn
+ - socksUsernamePassword.Authenticate
+ - stringWriter.WriteString
+ - timeoutHandler.ServeHTTP
+ - timeoutWriter.Write
+ - timeoutWriter.WriteHeader
+ - transportReadFromServerError.Error
+ - module: golang.org/x/net
+ versions:
+ - fixed: 0.23.0
+ vulnerable_at: 0.22.0
+ packages:
+ - package: golang.org/x/net/http2
+ symbols:
+ - Framer.readMetaFrame
+ derived_symbols:
+ - ClientConn.Close
+ - ClientConn.Ping
+ - ClientConn.RoundTrip
+ - ClientConn.Shutdown
+ - ConfigureServer
+ - ConfigureTransport
+ - ConfigureTransports
+ - ConnectionError.Error
+ - ErrCode.String
+ - FrameHeader.String
+ - FrameType.String
+ - FrameWriteRequest.String
+ - Framer.ReadFrame
+ - Framer.WriteContinuation
+ - Framer.WriteData
+ - Framer.WriteDataPadded
+ - Framer.WriteGoAway
+ - Framer.WriteHeaders
+ - Framer.WritePing
+ - Framer.WritePriority
+ - Framer.WritePushPromise
+ - Framer.WriteRSTStream
+ - Framer.WriteRawFrame
+ - Framer.WriteSettings
+ - Framer.WriteSettingsAck
+ - Framer.WriteWindowUpdate
+ - GoAwayError.Error
+ - ReadFrameHeader
+ - Server.ServeConn
+ - Setting.String
+ - SettingID.String
+ - SettingsFrame.ForeachSetting
+ - StreamError.Error
+ - Transport.CloseIdleConnections
+ - Transport.NewClientConn
+ - Transport.RoundTrip
+ - Transport.RoundTripOpt
+ - bufferedWriter.Flush
+ - bufferedWriter.Write
+ - chunkWriter.Write
+ - clientConnPool.GetClientConn
+ - connError.Error
+ - dataBuffer.Read
+ - duplicatePseudoHeaderError.Error
+ - gzipReader.Close
+ - gzipReader.Read
+ - headerFieldNameError.Error
+ - headerFieldValueError.Error
+ - noDialClientConnPool.GetClientConn
+ - noDialH2RoundTripper.RoundTrip
+ - pipe.Read
+ - priorityWriteScheduler.CloseStream
+ - priorityWriteScheduler.OpenStream
+ - pseudoHeaderError.Error
+ - requestBody.Close
+ - requestBody.Read
+ - responseWriter.Flush
+ - responseWriter.FlushError
+ - responseWriter.Push
+ - responseWriter.SetReadDeadline
+ - responseWriter.SetWriteDeadline
+ - responseWriter.Write
+ - responseWriter.WriteHeader
+ - responseWriter.WriteString
+ - roundRobinWriteScheduler.OpenStream
+ - serverConn.CloseConn
+ - serverConn.Flush
+ - stickyErrWriter.Write
+ - transportResponseBody.Close
+ - transportResponseBody.Read
+ - writeData.String
+summary: HTTP/2 CONTINUATION flood in net/http
+description: |-
+ An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header
+ data by sending an excessive number of CONTINUATION frames.
+
+ Maintaining HPACK state requires parsing and processing all HEADERS and
+ CONTINUATION frames on a connection. When a request's headers exceed
+ MaxHeaderBytes, no memory is allocated to store the excess headers, but they are
+ still parsed.
+
+ This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts
+ of header data, all associated with a request which is going to be rejected.
+ These headers can include Huffman-encoded data which is significantly more
+ expensive for the receiver to decode than for an attacker to send.
+
+ The fix sets a limit on the amount of excess header frames we will process
+ before closing a connection.
+credits:
+ - Bartek Nowotarski (https://nowotarski.info/)
+references:
+ - report: https://go.dev/issue/65051
+ - fix: https://go.dev/cl/576155
+ - web: https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
+cve_metadata:
+ id: CVE-2023-45288
+ cwe: 'CWE-400: Uncontrolled Resource Consumption'
