[GO-2023-1571] Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
Severity
High
Affected Packages
4
Fixed Packages
4
CVEs
1
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the
HPACK decoder, sufficient to cause a denial of service from a small number of
small requests.
| Package | Affected Version |
|---|---|
 pkg:golang/net/http
|
>= 1.20.0, < 1.19.6 |
|
pkg:golang/net/http
|
>= 1.20.0, < 1.20.1 |
|
pkg:golang/golang.org/x/net/http2/hpack
|
>= 0.6.1-0.20230213185550-547e7edf3873, < 0.7.0 |
|
pkg:golang/golang.org/x/net/http2
|
>= 0.6.1-0.20230213185550-547e7edf3873, < 0.7.0 |
| Package | Fixed Version |
|---|---|
|
pkg:golang/net/http
|
= 1.19.6 |
|
pkg:golang/net/http
|
= 1.20.1 |
|
pkg:golang/golang.org/x/net/http2/hpack
|
= 0.7.0 |
|
pkg:golang/golang.org/x/net/http2
|
= 0.7.0 |
- ID
- GO-2023-1571
- Severity
- high
- Severity from
- CVE-2022-41723
- URL
- https://pkg.go.dev/vuln/GO-2023-1571
- Published
-
2023-02-16T21:43:34
(19 months ago) - Modified
-
2024-07-17T19:54:18
(2 months ago) - Other Advisories
-
-
ALAS-2023-1731
-
ALAS-2023-1825
-
ALAS-2023-1849
-
ALAS-2023-1866
-
ALAS-2023-1881
-
ALAS2-2023-2015
-
ALAS2-2023-2143
-
ALAS2-2023-2192
-
ALAS2-2023-2193
-
ALAS2-2023-2194
-
ALAS2-2023-2238
-
ALAS2-2023-2303
-
ALPINE:CVE-2022-41723
-
ALSA-2023:6346
-
ALSA-2023:6363
-
ALSA-2023:6402
-
ALSA-2023:6473
-
ALSA-2023:6474
-
ALSA-2023:6938
-
ALSA-2023:6939
-
ELSA-2023-6363
-
ELSA-2023-6402
-
ELSA-2023-6473
-
ELSA-2023-6474
-
ELSA-2023-6938
-
ELSA-2023-6939
-
FEDORA-2023-28c182b657
-
FEDORA-2023-327346caa5
-
FEDORA-2023-3737bc1c0a
-
FEDORA-2023-8c02aee138
-
FEDORA-2023-a5a5542890
-
FEDORA-2023-abb47e24d8
-
FEDORA-2023-ca444fdecf
-
FEDORA-2023-cb20f08a4e
-
FEDORA-2023-ccaf5538dd
-
FEDORA-2023-e359fd31d2
-
FREEBSD:3D73E384-AD1F-11ED-983C-83FE35862E3A
-
GLSA-202311-09
-
MS:CVE-2022-41723
-
RHBA-2023:2181
-
RHSA-2023:3083
-
RHSA-2023:6346
-
RHSA-2023:6363
-
RHSA-2023:6402
-
RHSA-2023:6473
-
RHSA-2023:6474
-
RHSA-2023:6938
-
RHSA-2023:6939
-
RHSA-2023:7058
-
SUSE-SU-2023:0733-1
-
SUSE-SU-2023:0735-1
-
SUSE-SU-2023:0811-1
-
SUSE-SU-2023:0812-1
-
SUSE-SU-2023:0821-1
-
SUSE-SU-2023:0869-1
-
SUSE-SU-2023:0871-1
-
SUSE-SU-2023:2312-1
-
SUSE-SU-2023:2598-1
-
SUSE-SU-2023:3867-1
-
SUSE-SU-2023:3868-1
-
SUSE-SU-2023:3875-1
-
SUSE-SU-2023:4124-1
-
SUSE-SU-2024:0191-1
-
SUSE-SU-2024:0196-1
-
SUSE-SU-2024:3288-1
-
| Source | # ID | Name | URL |
|---|---|---|---|
| Security Advisory |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Fixed | pkg:golang/net/http | net |
http
|
= 1.19.6 | |||
| Affected | pkg:golang/net/http | net |
http
|
>= 1.20.0 < 1.19.6 | |||
| Fixed | pkg:golang/net/http | net |
http
|
= 1.20.1 | |||
| Affected | pkg:golang/net/http | net |
http
|
>= 1.20.0 < 1.20.1 | |||
| Fixed | pkg:golang/golang.org/x/net/http2/hpack | golang.org/x/net/http2 |
hpack
|
= 0.7.0 | |||
| Affected | pkg:golang/golang.org/x/net/http2/hpack | golang.org/x/net/http2 |
hpack
|
>= 0.6.1-0.20230213185550-547e7edf3873 < 0.7.0 | |||
| Fixed | pkg:golang/golang.org/x/net/http2 | golang.org/x/net |
http2
|
= 0.7.0 | |||
| Affected | pkg:golang/golang.org/x/net/http2 | golang.org/x/net |
http2
|
>= 0.6.1-0.20230213185550-547e7edf3873 < 0.7.0 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |