[GO-2023-2382] Denial of service via chunk extensions in net/http
A malicious HTTP sender can use chunk extensions to cause a receiver reading
from a request or response body to read many more bytes from the network than
are in the body.
A malicious HTTP client can further exploit this to cause a server to
automatically read a large amount of data (up to about 1GiB) when a handler
fails to read the entire body of a request.
Chunk extensions are a little-used HTTP feature which permit including
additional metadata in a request or response body sent using the chunked
encoding. The net/http chunked encoding reader discards this metadata. A sender
can exploit this by inserting a large metadata segment with each byte
transferred. The chunk reader now produces an error if the ratio of real body to
encoded bytes grows too small.
Package | Affected Version |
---|---|
pkg:golang/net/http/internal | >= 1.21.4, < 1.20.12 |
pkg:golang/net/http/internal | >= 1.21.4, < 1.21.5 |
Package | Fixed Version |
---|---|
pkg:golang/net/http/internal | = 1.20.12 |
pkg:golang/net/http/internal | = 1.21.5 |
- ID
- GO-2023-2382
- Severity
- medium
- Severity from
- CVE-2023-39326
- URL
- https://pkg.go.dev/vuln/GO-2023-2382
- Published
-
2023-12-05T19:45:53
(9 months ago) - Modified
-
2024-07-17T19:54:18
(2 months ago) - Other Advisories
-
- ALAS-2024-1903
- ALAS-2024-1920
- ALAS2-2024-2388
- ALAS2-2024-2424
- ALAS2-2024-2446
- ALAS2-2024-2458
- ALAS2-2024-2543
- ALAS2-2024-2556
- ALAS2-2024-2618
- ALPINE:CVE-2023-39326
- ALSA-2024:0748
- ALSA-2024:0887
- ALSA-2024:1131
- ALSA-2024:1149
- ALSA-2024:2160
- ALSA-2024:2193
- ALSA-2024:2245
- ALSA-2024:2272
- ELSA-2024-0887
- ELSA-2024-1131
- ELSA-2024-1149
- ELSA-2024-12189
- ELSA-2024-12190
- ELSA-2024-12191
- ELSA-2024-12225
- ELSA-2024-12226
- ELSA-2024-12261
- ELSA-2024-12262
- ELSA-2024-12263
- ELSA-2024-12264
- ELSA-2024-2193
- ELSA-2024-2245
- ELSA-2024-2272
- ELSA-2024-2988
- FEDORA-2024-193547def8
- GLSA-202408-07
- RHSA-2024:0748
- RHSA-2024:0887
- RHSA-2024:1131
- RHSA-2024:1149
- RHSA-2024:1244
- RHSA-2024:2160
- RHSA-2024:2193
- RHSA-2024:2245
- RHSA-2024:2272
- RHSA-2024:2988
- SUSE-SU-2023:4708-1
- SUSE-SU-2023:4709-1
- SUSE-SU-2023:4930-1
- SUSE-SU-2023:4931-1
- USN-6574-1
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Fixed | pkg:golang/net/http/internal | net/http | internal | = 1.20.12 | |||
Affected | pkg:golang/net/http/internal | net/http | internal | >= 1.21.4 < 1.20.12 | |||
Fixed | pkg:golang/net/http/internal | net/http | internal | = 1.21.5 | |||
Affected | pkg:golang/net/http/internal | net/http | internal | >= 1.21.4 < 1.21.5 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |