blob: 7ec76d28e2a11e072877ad87941928b90dd2219d [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2022-0233",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-07-01T20:18:04Z",
"aliases": [
"CVE-2021-23409",
"GHSA-xcf7-q56x-78gh"
],
"summary": "Resource exhaustion in github.com/pires/go-proxyproto",
"details": "The PROXY protocol server does not impose a timeout on reading the header from new connections, allowing a malicious client to cause resource exhaustion and a denial of service by opening many connections and sending no data on them.\n\nv0.6.0 of the proxyproto package adds support for a user-defined header timeout. v0.6.1 adds a default timeout of 200ms and v0.6.2 increases the default timeout to 10s.",
"affected": [
{
"package": {
"name": "github.com/pires/go-proxyproto",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/pires/go-proxyproto",
"symbols": [
"Listener.Accept"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/pires/go-proxyproto/pull/74"
},
{
"type": "FIX",
"url": "https://github.com/pires/go-proxyproto/pull/74/commits/cdc63867da24fc609b727231f682670d0d1cd346"
},
{
"type": "WEB",
"url": "https://github.com/pires/go-proxyproto/issues/65"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0233",
"review_status": "REVIEWED"
}
}