| id: GO-2022-1144 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.18.9 |
| - introduced: 1.19.0-0 |
| fixed: 1.19.4 |
| vulnerable_at: 1.19.3 |
| packages: |
| - package: net/http |
| symbols: |
| - http2serverConn.canonicalHeader |
| derived_symbols: |
| - ListenAndServe |
| - ListenAndServeTLS |
| - Serve |
| - ServeTLS |
| - Server.ListenAndServe |
| - Server.ListenAndServeTLS |
| - Server.Serve |
| - Server.ServeTLS |
| - http2Server.ServeConn |
| - module: golang.org/x/net |
| versions: |
| - fixed: 0.4.0 |
| vulnerable_at: 0.3.0 |
| packages: |
| - package: golang.org/x/net/http2 |
| symbols: |
| - serverConn.canonicalHeader |
| derived_symbols: |
| - Server.ServeConn |
| summary: Excessive memory growth in net/http and golang.org/x/net/http2 |
| description: |- |
| An attacker can cause excessive memory growth in a Go server accepting HTTP/2 |
| requests. |
| |
| HTTP/2 server connections contain a cache of HTTP header keys sent by the |
| client. While the total number of entries in this cache is capped, an attacker |
| sending very large keys can cause the server to allocate approximately 64 MiB |
| per open connection. |
| ghsas: |
| - GHSA-xrjj-mj9h-534m |
| credits: |
| - Josselin Costanzi |
| references: |
| - report: https://go.dev/issue/56350 |
| - fix: https://go.dev/cl/455717 |
| - fix: https://go.dev/cl/455635 |
| - web: https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ |
| cve_metadata: |
| id: CVE-2022-41717 |
| cwe: 'CWE 400: Uncontrolled Resource Consumption' |
| references: |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/ |