reports/GO-2022-0233.yaml - vulndb - Git at Google

 packages:
   - module: github.com/pires/go-proxyproto
     symbols:
       - Listener.Accept
     versions:
       - fixed: 0.6.1
     vulnerable_at: 0.5.0
 description: |
     The PROXY protocol server does not impose a timeout on reading the header
     from new connections, allowing a malicious client to cause resource
     exhaustion and a denial of service by opening many connections and
     sending no data on them.

     v0.6.0 of the proxyproto package adds support for a user-defined
     header timeout. v0.6.1 adds a default timeout of 200ms and v0.6.2
     increases the default timeout to 10s.
 cves:
   - CVE-2021-23409
 ghsas:
   - GHSA-xcf7-q56x-78gh
 links:
     pr: https://github.com/pires/go-proxyproto/pull/74
     commit: https://github.com/pires/go-proxyproto/pull/74/commits/cdc63867da24fc609b727231f682670d0d1cd346
     context:
       - https://github.com/pires/go-proxyproto/issues/65
	packages:
	- module: github.com/pires/go-proxyproto
	symbols:
	- Listener.Accept
	versions:
	- fixed: 0.6.1
	vulnerable_at: 0.5.0
	description: \|
	The PROXY protocol server does not impose a timeout on reading the header
	from new connections, allowing a malicious client to cause resource
	exhaustion and a denial of service by opening many connections and
	sending no data on them.

	v0.6.0 of the proxyproto package adds support for a user-defined
	header timeout. v0.6.1 adds a default timeout of 200ms and v0.6.2
	increases the default timeout to 10s.
	cves:
	- CVE-2021-23409
	ghsas:
	- GHSA-xcf7-q56x-78gh
	links:
	pr: https://github.com/pires/go-proxyproto/pull/74
	commit: https://github.com/pires/go-proxyproto/pull/74/commits/cdc63867da24fc609b727231f682670d0d1cd346
	context:
	- https://github.com/pires/go-proxyproto/issues/65