| id: GO-2022-0969 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.18.6 |
| - introduced: 1.19.0-0 |
| - fixed: 1.19.1 |
| vulnerable_at: 1.19.0 |
| packages: |
| - package: net/http |
| symbols: |
| - http2serverConn.goAway |
| derived_symbols: |
| - ListenAndServe |
| - ListenAndServeTLS |
| - Serve |
| - ServeTLS |
| - Server.ListenAndServe |
| - Server.ListenAndServeTLS |
| - Server.Serve |
| - Server.ServeTLS |
| - http2Server.ServeConn |
| - module: golang.org/x/net |
| versions: |
| - fixed: 0.0.0-20220906165146-f3363e06e74c |
| vulnerable_at: 0.0.0-20220826154423-83b083e8dc8b |
| packages: |
| - package: golang.org/x/net/http2 |
| symbols: |
| - serverConn.goAway |
| derived_symbols: |
| - Server.ServeConn |
| summary: Denial of service in net/http and golang.org/x/net/http2 |
| description: |- |
| HTTP/2 server connections can hang forever waiting for a clean shutdown that was |
| preempted by a fatal error. This condition can be exploited by a malicious |
| client to cause a denial of service. |
| published: 2022-09-12T20:23:06Z |
| cves: |
| - CVE-2022-27664 |
| ghsas: |
| - GHSA-69cg-p879-7622 |
| credits: |
| - Bahruz Jabiyev |
| - Tommaso Innocenti |
| - Anthony Gavazzi |
| - Steven Sprecher |
| - Kaan Onarlioglu |
| references: |
| - web: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s |
| - report: https://go.dev/issue/54658 |
| - fix: https://go.dev/cl/428735 |
| review_status: REVIEWED |