[GO-2023-1571] Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
Severity
High
Affected Packages
4
Fixed Packages
4
CVEs
1
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the
HPACK decoder, sufficient to cause a denial of service from a small number of
small requests.
Package | Affected Version |
---|---|
pkg:golang/net/http | >= 1.20.0, < 1.19.6 |
pkg:golang/net/http | >= 1.20.0, < 1.20.1 |
pkg:golang/golang.org/x/net/http2/hpack | >= 0.6.1-0.20230213185550-547e7edf3873, < 0.7.0 |
pkg:golang/golang.org/x/net/http2 | >= 0.6.1-0.20230213185550-547e7edf3873, < 0.7.0 |
Package | Fixed Version |
---|---|
pkg:golang/net/http | = 1.19.6 |
pkg:golang/net/http | = 1.20.1 |
pkg:golang/golang.org/x/net/http2/hpack | = 0.7.0 |
pkg:golang/golang.org/x/net/http2 | = 0.7.0 |
- ID
- GO-2023-1571
- Severity
- high
- Severity from
- CVE-2022-41723
- URL
- https://pkg.go.dev/vuln/GO-2023-1571
- Published
-
2023-02-16T21:43:34
(19 months ago) - Modified
-
2024-07-17T19:54:18
(2 months ago) - Other Advisories
-
- ALAS-2023-1731
- ALAS-2023-1825
- ALAS-2023-1849
- ALAS-2023-1866
- ALAS-2023-1881
- ALAS2-2023-2015
- ALAS2-2023-2143
- ALAS2-2023-2192
- ALAS2-2023-2193
- ALAS2-2023-2194
- ALAS2-2023-2238
- ALAS2-2023-2303
- ALPINE:CVE-2022-41723
- ALSA-2023:6346
- ALSA-2023:6363
- ALSA-2023:6402
- ALSA-2023:6473
- ALSA-2023:6474
- ALSA-2023:6938
- ALSA-2023:6939
- ELSA-2023-6363
- ELSA-2023-6402
- ELSA-2023-6473
- ELSA-2023-6474
- ELSA-2023-6938
- ELSA-2023-6939
- FEDORA-2023-28c182b657
- FEDORA-2023-327346caa5
- FEDORA-2023-3737bc1c0a
- FEDORA-2023-8c02aee138
- FEDORA-2023-a5a5542890
- FEDORA-2023-abb47e24d8
- FEDORA-2023-ca444fdecf
- FEDORA-2023-cb20f08a4e
- FEDORA-2023-ccaf5538dd
- FEDORA-2023-e359fd31d2
- FREEBSD:3D73E384-AD1F-11ED-983C-83FE35862E3A
- GLSA-202311-09
- MS:CVE-2022-41723
- RHBA-2023:2181
- RHSA-2023:3083
- RHSA-2023:6346
- RHSA-2023:6363
- RHSA-2023:6402
- RHSA-2023:6473
- RHSA-2023:6474
- RHSA-2023:6938
- RHSA-2023:6939
- RHSA-2023:7058
- SUSE-SU-2023:0733-1
- SUSE-SU-2023:0735-1
- SUSE-SU-2023:0811-1
- SUSE-SU-2023:0812-1
- SUSE-SU-2023:0821-1
- SUSE-SU-2023:0869-1
- SUSE-SU-2023:0871-1
- SUSE-SU-2023:2312-1
- SUSE-SU-2023:2598-1
- SUSE-SU-2023:3867-1
- SUSE-SU-2023:3868-1
- SUSE-SU-2023:3875-1
- SUSE-SU-2023:4124-1
- SUSE-SU-2024:0191-1
- SUSE-SU-2024:0196-1
- SUSE-SU-2024:3288-1
Source | # ID | Name | URL |
---|---|---|---|
Security Advisory | https://github.com/advisories/GHSA-vvpx-j8f3-3w6h |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Fixed | pkg:golang/net/http | net | http | = 1.19.6 | |||
Affected | pkg:golang/net/http | net | http | >= 1.20.0 < 1.19.6 | |||
Fixed | pkg:golang/net/http | net | http | = 1.20.1 | |||
Affected | pkg:golang/net/http | net | http | >= 1.20.0 < 1.20.1 | |||
Fixed | pkg:golang/golang.org/x/net/http2/hpack | golang.org/x/net/http2 | hpack | = 0.7.0 | |||
Affected | pkg:golang/golang.org/x/net/http2/hpack | golang.org/x/net/http2 | hpack | >= 0.6.1-0.20230213185550-547e7edf3873 < 0.7.0 | |||
Fixed | pkg:golang/golang.org/x/net/http2 | golang.org/x/net | http2 | = 0.7.0 | |||
Affected | pkg:golang/golang.org/x/net/http2 | golang.org/x/net | http2 | >= 0.6.1-0.20230213185550-547e7edf3873 < 0.7.0 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |