blob: c9fce2fcc9c3df7bcf55ef07cd8ff5faffb47aa7 [file] [log] [blame]
id: GO-2022-0969
modules:
- module: std
versions:
- fixed: 1.18.6
- introduced: 1.19.0-0
fixed: 1.19.1
vulnerable_at: 1.19.0
packages:
- package: net/http
symbols:
- http2serverConn.goAway
derived_symbols:
- ListenAndServe
- ListenAndServeTLS
- Serve
- ServeTLS
- Server.ListenAndServe
- Server.ListenAndServeTLS
- Server.Serve
- Server.ServeTLS
- http2Server.ServeConn
- module: golang.org/x/net
versions:
- fixed: 0.0.0-20220906165146-f3363e06e74c
vulnerable_at: 0.0.0-20220826154423-83b083e8dc8b
packages:
- package: golang.org/x/net/http2
symbols:
- serverConn.goAway
derived_symbols:
- Server.ServeConn
summary: Denial of service in net/http and golang.org/x/net/http2
description: |-
HTTP/2 server connections can hang forever waiting for a clean shutdown that was
preempted by a fatal error. This condition can be exploited by a malicious
client to cause a denial of service.
published: 2022-09-12T20:23:06Z
cves:
- CVE-2022-27664
ghsas:
- GHSA-69cg-p879-7622
credits:
- Bahruz Jabiyev
- Tommaso Innocenti
- Anthony Gavazzi
- Steven Sprecher
- Kaan Onarlioglu
references:
- web: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s
- report: https://go.dev/issue/54658
- fix: https://go.dev/cl/428735