blob: b07fb9d4f1dfd56d4261ef296b603714f481e0bd [file] [log] [blame]
id: GO-2022-0536
modules:
- module: std
versions:
- fixed: 1.11.13
- introduced: 1.12.0-0
- fixed: 1.12.8
vulnerable_at: 1.12.7
packages:
- package: net/http
symbols:
- http2serverConn.serve
- http2serverConn.writeFrame
- http2serverConn.scheduleFrameWrite
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
- module: golang.org/x/net
versions:
- fixed: 0.0.0-20190813141303-74dc4d7220e7
vulnerable_at: 0.0.0-20190607181551-461777fb6f67
packages:
- package: golang.org/x/net/http2
symbols:
- serverConn.serve
- serverConn.writeFrame
- serverConn.scheduleFrameWrite
derived_symbols:
- Server.ServeConn
summary: Reset flood in net/http and golang.org/x/net/http
description: |-
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading
to a denial of service.
Servers that accept direct connections from untrusted clients could be remotely
made to allocate an unlimited amount of memory, until the program crashes. The
attacker opens a number of streams and sends an invalid request over each stream
that should solicit a stream of RST_STREAM frames from the peer. Depending on
how the peer queues the RST_STREAM frames, this can consume excess memory, CPU,
or both.
published: 2022-08-01T22:20:53Z
cves:
- CVE-2019-9512
- CVE-2019-9514
ghsas:
- GHSA-39qc-96h7-956f
- GHSA-hgr8-6h9x-f7q9
credits:
- Jonathan Looney of Netflix
references:
- fix: https://go.dev/cl/190137
- fix: https://go.googlesource.com/go/+/145e193131eb486077b66009beb051aba07c52a5
- report: https://go.dev/issue/33606
- web: https://groups.google.com/g/golang-announce/c/65QixT3tcmg/m/DrFiG6vvCwAJ
review_status: REVIEWED