data/reports/GO-2022-1144.yaml - vulndb - Git at Google

 id: GO-2022-1144
 modules:
     - module: std
       versions:
         - fixed: 1.18.9
         - introduced: 1.19.0-0
           fixed: 1.19.4
       vulnerable_at: 1.19.3
       packages:
         - package: net/http
           symbols:
             - http2serverConn.canonicalHeader
           derived_symbols:
             - ListenAndServe
             - ListenAndServeTLS
             - Serve
             - ServeTLS
             - Server.ListenAndServe
             - Server.ListenAndServeTLS
             - Server.Serve
             - Server.ServeTLS
             - http2Server.ServeConn
     - module: golang.org/x/net
       versions:
         - fixed: 0.4.0
       vulnerable_at: 0.3.0
       packages:
         - package: golang.org/x/net/http2
           symbols:
             - serverConn.canonicalHeader
           derived_symbols:
             - Server.ServeConn
 summary: Excessive memory growth in net/http and golang.org/x/net/http2
 description: |-
     An attacker can cause excessive memory growth in a Go server accepting HTTP/2
     requests.

     HTTP/2 server connections contain a cache of HTTP header keys sent by the
     client. While the total number of entries in this cache is capped, an attacker
     sending very large keys can cause the server to allocate approximately 64 MiB
     per open connection.
 ghsas:
     - GHSA-xrjj-mj9h-534m
 credits:
     - Josselin Costanzi
 references:
     - report: https://go.dev/issue/56350
     - fix: https://go.dev/cl/455717
     - fix: https://go.dev/cl/455635
     - web: https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
 cve_metadata:
     id: CVE-2022-41717
     cwe: 'CWE 400: Uncontrolled Resource Consumption'
     references:
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/
         - https://security.gentoo.org/glsa/202311-09
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/
	id: GO-2022-1144
	modules:
	- module: std
	versions:
	- fixed: 1.18.9
	- introduced: 1.19.0-0
	fixed: 1.19.4
	vulnerable_at: 1.19.3
	packages:
	- package: net/http
	symbols:
	- http2serverConn.canonicalHeader
	derived_symbols:
	- ListenAndServe
	- ListenAndServeTLS
	- Serve
	- ServeTLS
	- Server.ListenAndServe
	- Server.ListenAndServeTLS
	- Server.Serve
	- Server.ServeTLS
	- http2Server.ServeConn
	- module: golang.org/x/net
	versions:
	- fixed: 0.4.0
	vulnerable_at: 0.3.0
	packages:
	- package: golang.org/x/net/http2
	symbols:
	- serverConn.canonicalHeader
	derived_symbols:
	- Server.ServeConn
	summary: Excessive memory growth in net/http and golang.org/x/net/http2
	description: \|-
	An attacker can cause excessive memory growth in a Go server accepting HTTP/2
	requests.

	HTTP/2 server connections contain a cache of HTTP header keys sent by the
	client. While the total number of entries in this cache is capped, an attacker
	sending very large keys can cause the server to allocate approximately 64 MiB
	per open connection.
	ghsas:
	- GHSA-xrjj-mj9h-534m
	credits:
	- Josselin Costanzi
	references:
	- report: https://go.dev/issue/56350
	- fix: https://go.dev/cl/455717
	- fix: https://go.dev/cl/455635
	- web: https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
	cve_metadata:
	id: CVE-2022-41717
	cwe: 'CWE 400: Uncontrolled Resource Consumption'
	references:
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/
	- https://security.gentoo.org/glsa/202311-09
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/