| id: GO-2022-0288 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.16.12 |
| - introduced: 1.17.0-0 |
| - fixed: 1.17.5 |
| vulnerable_at: 1.17.4 |
| packages: |
| - package: net/http |
| symbols: |
| - http2serverConn.canonicalHeader |
| - module: golang.org/x/net |
| versions: |
| - fixed: 0.0.0-20211209124913-491a49abca63 |
| vulnerable_at: 0.0.0-20211208012354-db4efeb81f4b |
| packages: |
| - package: golang.org/x/net/http2 |
| symbols: |
| - serverConn.canonicalHeader |
| derived_symbols: |
| - Server.ServeConn |
| summary: Unbounded memory growth in net/http and golang.org/x/net/http2 |
| description: |- |
| An attacker can cause unbounded memory growth in servers accepting HTTP/2 |
| requests. |
| published: 2022-07-15T23:08:33Z |
| cves: |
| - CVE-2021-44716 |
| ghsas: |
| - GHSA-vc3p-29h2-gpcp |
| credits: |
| - murakmii |
| references: |
| - fix: https://go.dev/cl/369794 |
| - report: https://go.dev/issue/50058 |
| - web: https://groups.google.com/g/golang-announce/c/hcmEScgc00k |
| review_status: REVIEWED |