data/reports/GO-2021-0172.yaml - vulndb - Git at Google

 id: GO-2021-0172
 modules:
     - module: std
       versions:
         - fixed: 1.6.4
         - introduced: 1.7.0-0
           fixed: 1.7.4
       vulnerable_at: 1.7.3
       packages:
         - package: mime/multipart
           symbols:
             - Reader.readForm
           skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
 summary: Denial of service when parsing large forms in mime/multipart
 description: |-
     When parsing large multipart/form-data, an attacker can cause a HTTP server to
     open a large number of file descriptors. This may be used as a denial-of-service
     vector.
 published: 2022-02-15T23:56:14Z
 cves:
     - CVE-2017-1000098
 credits:
     - Simon Rawet
 references:
     - fix: https://go.dev/cl/30410
     - fix: https://go.googlesource.com/go/+/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
     - report: https://go.dev/issue/16296
     - web: https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ
	id: GO-2021-0172
	modules:
	- module: std
	versions:
	- fixed: 1.6.4
	- introduced: 1.7.0-0
	fixed: 1.7.4
	vulnerable_at: 1.7.3
	packages:
	- package: mime/multipart
	symbols:
	- Reader.readForm
	skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
	summary: Denial of service when parsing large forms in mime/multipart
	description: \|-
	When parsing large multipart/form-data, an attacker can cause a HTTP server to
	open a large number of file descriptors. This may be used as a denial-of-service
	vector.
	published: 2022-02-15T23:56:14Z
	cves:
	- CVE-2017-1000098
	credits:
	- Simon Rawet
	references:
	- fix: https://go.dev/cl/30410
	- fix: https://go.googlesource.com/go/+/7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
	- report: https://go.dev/issue/16296
	- web: https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ