data/reports/GO-2023-2382.yaml - vulndb - Git at Google

 id: GO-2023-2382
 modules:
     - module: std
       versions:
         - fixed: 1.20.12
         - introduced: 1.21.0-0
         - fixed: 1.21.5
       vulnerable_at: 1.21.4
       packages:
         - package: net/http/internal
           symbols:
             - chunkedReader.beginChunk
             - readChunkLine
           derived_symbols:
             - chunkedReader.Read
 summary: Denial of service via chunk extensions in net/http
 description: |-
     A malicious HTTP sender can use chunk extensions to cause a receiver reading
     from a request or response body to read many more bytes from the network than
     are in the body.

     A malicious HTTP client can further exploit this to cause a server to
     automatically read a large amount of data (up to about 1GiB) when a handler
     fails to read the entire body of a request.

     Chunk extensions are a little-used HTTP feature which permit including
     additional metadata in a request or response body sent using the chunked
     encoding. The net/http chunked encoding reader discards this metadata. A sender
     can exploit this by inserting a large metadata segment with each byte
     transferred. The chunk reader now produces an error if the ratio of real body to
     encoded bytes grows too small.
 credits:
     - Bartek Nowotarski
 references:
     - report: https://go.dev/issue/64433
     - fix: https://go.dev/cl/547335
     - web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
 cve_metadata:
     id: CVE-2023-39326
     cwe: 'CWE-400: Uncontrolled Resource Consumption'
     references:
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/
 review_status: REVIEWED
	id: GO-2023-2382
	modules:
	- module: std
	versions:
	- fixed: 1.20.12
	- introduced: 1.21.0-0
	- fixed: 1.21.5
	vulnerable_at: 1.21.4
	packages:
	- package: net/http/internal
	symbols:
	- chunkedReader.beginChunk
	- readChunkLine
	derived_symbols:
	- chunkedReader.Read
	summary: Denial of service via chunk extensions in net/http
	description: \|-
	A malicious HTTP sender can use chunk extensions to cause a receiver reading
	from a request or response body to read many more bytes from the network than
	are in the body.

	A malicious HTTP client can further exploit this to cause a server to
	automatically read a large amount of data (up to about 1GiB) when a handler
	fails to read the entire body of a request.

	Chunk extensions are a little-used HTTP feature which permit including
	additional metadata in a request or response body sent using the chunked
	encoding. The net/http chunked encoding reader discards this metadata. A sender
	can exploit this by inserting a large metadata segment with each byte
	transferred. The chunk reader now produces an error if the ratio of real body to
	encoded bytes grows too small.
	credits:
	- Bartek Nowotarski
	references:
	- report: https://go.dev/issue/64433
	- fix: https://go.dev/cl/547335
	- web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
	cve_metadata:
	id: CVE-2023-39326
	cwe: 'CWE-400: Uncontrolled Resource Consumption'
	references:
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/
	review_status: REVIEWED