| id: GO-2024-2963 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.21.12 |
| - introduced: 1.22.0-0 |
| - fixed: 1.22.5 |
| vulnerable_at: 1.22.4 |
| packages: |
| - package: net/http |
| symbols: |
| - persistConn.readResponse |
| derived_symbols: |
| - Client.CloseIdleConnections |
| - Client.Do |
| - Client.Get |
| - Client.Head |
| - Client.Post |
| - Client.PostForm |
| - Get |
| - Head |
| - Post |
| - PostForm |
| - Transport.CancelRequest |
| - Transport.CloseIdleConnections |
| - Transport.RoundTrip |
| summary: Denial of service due to improper 100-continue handling in net/http |
| description: |- |
| The net/http HTTP/1.1 client mishandled the case where a server responds to a |
| request with an "Expect: 100-continue" header with a non-informational (200 or |
| higher) status. This mishandling could leave a client connection in an invalid |
| state, where the next request sent on the connection will fail. |
| |
| An attacker sending a request to a net/http/httputil.ReverseProxy proxy can |
| exploit this mishandling to cause a denial of service by sending "Expect: |
| 100-continue" requests which elicit a non-informational response from the |
| backend. Each such request leaves the proxy with an invalid connection, and |
| causes one subsequent request using that connection to fail. |
| credits: |
| - Geoff Franks |
| references: |
| - fix: https://go.dev/cl/591255 |
| - report: https://go.dev/issue/67555 |
| - web: https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ |
| cve_metadata: |
| id: CVE-2024-24791 |
| cwe: 'CWE 400: Uncontrolled Resource Consumption' |
| source: |
| id: go-security-team |
| created: 2024-07-02T15:43:26.900923-04:00 |
| review_status: REVIEWED |
