blob: c1a17f0b7b9929ad386fc10056e87e91a15e0403 [file] [log] [blame]
id: GO-2023-1571
modules:
- module: std
versions:
- fixed: 1.19.6
- introduced: 1.20.0-0
fixed: 1.20.1
vulnerable_at: 1.20.0
packages:
- package: net/http
symbols:
- Transport.RoundTrip
- Server.Serve
derived_symbols:
- Client.Do
- Client.Get
- Client.Head
- Client.Post
- Client.PostForm
- Get
- Head
- ListenAndServe
- ListenAndServeTLS
- Post
- PostForm
- Serve
- ServeTLS
- Server.ListenAndServe
- Server.ListenAndServeTLS
- Server.ServeTLS
- module: golang.org/x/net
versions:
- fixed: 0.7.0
vulnerable_at: 0.6.1-0.20230213185550-547e7edf3873
packages:
- package: golang.org/x/net/http2
symbols:
- Transport.RoundTrip
- Server.ServeConn
derived_symbols:
- ClientConn.Close
- ClientConn.Ping
- ClientConn.RoundTrip
- ClientConn.Shutdown
- ConfigureServer
- ConfigureTransport
- ConfigureTransports
- ConnectionError.Error
- ErrCode.String
- FrameHeader.String
- FrameType.String
- FrameWriteRequest.String
- Framer.ReadFrame
- Framer.WriteContinuation
- Framer.WriteData
- Framer.WriteDataPadded
- Framer.WriteGoAway
- Framer.WriteHeaders
- Framer.WritePing
- Framer.WritePriority
- Framer.WritePushPromise
- Framer.WriteRSTStream
- Framer.WriteRawFrame
- Framer.WriteSettings
- Framer.WriteSettingsAck
- Framer.WriteWindowUpdate
- GoAwayError.Error
- ReadFrameHeader
- Setting.String
- SettingID.String
- SettingsFrame.ForeachSetting
- StreamError.Error
- Transport.CloseIdleConnections
- Transport.NewClientConn
- Transport.RoundTripOpt
- bufferedWriter.Flush
- bufferedWriter.Write
- chunkWriter.Write
- clientConnPool.GetClientConn
- connError.Error
- dataBuffer.Read
- duplicatePseudoHeaderError.Error
- gzipReader.Close
- gzipReader.Read
- headerFieldNameError.Error
- headerFieldValueError.Error
- noDialClientConnPool.GetClientConn
- noDialH2RoundTripper.RoundTrip
- pipe.Read
- priorityWriteScheduler.CloseStream
- priorityWriteScheduler.OpenStream
- pseudoHeaderError.Error
- requestBody.Close
- requestBody.Read
- responseWriter.Flush
- responseWriter.FlushError
- responseWriter.Push
- responseWriter.SetReadDeadline
- responseWriter.SetWriteDeadline
- responseWriter.Write
- responseWriter.WriteHeader
- responseWriter.WriteString
- serverConn.CloseConn
- serverConn.Flush
- stickyErrWriter.Write
- transportResponseBody.Close
- transportResponseBody.Read
- writeData.String
- package: golang.org/x/net/http2/hpack
symbols:
- Decoder.parseFieldLiteral
- Decoder.readString
derived_symbols:
- Decoder.DecodeFull
- Decoder.Write
summary: Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
description: |-
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the
HPACK decoder, sufficient to cause a denial of service from a small number of
small requests.
ghsas:
- GHSA-vvpx-j8f3-3w6h
credits:
- Philippe Antoine (Catena cyber)
references:
- report: https://go.dev/issue/57855
- fix: https://go.dev/cl/468135
- fix: https://go.dev/cl/468295
- web: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
cve_metadata:
id: CVE-2022-41723
cwe: 'CWE 400: Uncontrolled Resource Consumption'
references:
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/