[GO-2023-2382] Denial of service via chunk extensions in net/http
A malicious HTTP sender can use chunk extensions to cause a receiver reading
from a request or response body to read many more bytes from the network than
are in the body.
A malicious HTTP client can further exploit this to cause a server to
automatically read a large amount of data (up to about 1GiB) when a handler
fails to read the entire body of a request.
Chunk extensions are a little-used HTTP feature which permit including
additional metadata in a request or response body sent using the chunked
encoding. The net/http chunked encoding reader discards this metadata. A sender
can exploit this by inserting a large metadata segment with each byte
transferred. The chunk reader now produces an error if the ratio of real body to
encoded bytes grows too small.
| Package | Affected Version |
|---|---|
 pkg:golang/net/http/internal
|
>= 1.21.4, < 1.20.12 |
|
pkg:golang/net/http/internal
|
>= 1.21.4, < 1.21.5 |
| Package | Fixed Version |
|---|---|
|
pkg:golang/net/http/internal
|
= 1.20.12 |
|
pkg:golang/net/http/internal
|
= 1.21.5 |
- ID
- GO-2023-2382
- Severity
- medium
- Severity from
- CVE-2023-39326
- URL
- https://pkg.go.dev/vuln/GO-2023-2382
- Published
-
2023-12-05T19:45:53
(9 months ago) - Modified
-
2024-07-17T19:54:18
(2 months ago) - Other Advisories
-
-
ALAS-2024-1903
-
ALAS-2024-1920
-
ALAS2-2024-2388
-
ALAS2-2024-2424
-
ALAS2-2024-2446
-
ALAS2-2024-2458
-
ALAS2-2024-2543
-
ALAS2-2024-2556
-
ALAS2-2024-2618
-
ALPINE:CVE-2023-39326
-
ALSA-2024:0748
-
ALSA-2024:0887
-
ALSA-2024:1131
-
ALSA-2024:1149
-
ALSA-2024:2160
-
ALSA-2024:2193
-
ALSA-2024:2245
-
ALSA-2024:2272
-
ELSA-2024-0887
-
ELSA-2024-1131
-
ELSA-2024-1149
-
ELSA-2024-12189
-
ELSA-2024-12190
-
ELSA-2024-12191
-
ELSA-2024-12225
-
ELSA-2024-12226
-
ELSA-2024-12261
-
ELSA-2024-12262
-
ELSA-2024-12263
-
ELSA-2024-12264
-
ELSA-2024-2193
-
ELSA-2024-2245
-
ELSA-2024-2272
-
ELSA-2024-2988
-
FEDORA-2024-193547def8
-
GLSA-202408-07
-
RHSA-2024:0748
-
RHSA-2024:0887
-
RHSA-2024:1131
-
RHSA-2024:1149
-
RHSA-2024:1244
-
RHSA-2024:2160
-
RHSA-2024:2193
-
RHSA-2024:2245
-
RHSA-2024:2272
-
RHSA-2024:2988
-
SUSE-SU-2023:4708-1
-
SUSE-SU-2023:4709-1
-
SUSE-SU-2023:4930-1
-
SUSE-SU-2023:4931-1
-
USN-6574-1
-
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Fixed | pkg:golang/net/http/internal | net/http |
internal
|
= 1.20.12 | |||
| Affected | pkg:golang/net/http/internal | net/http |
internal
|
>= 1.21.4 < 1.20.12 | |||
| Fixed | pkg:golang/net/http/internal | net/http |
internal
|
= 1.21.5 | |||
| Affected | pkg:golang/net/http/internal | net/http |
internal
|
>= 1.21.4 < 1.21.5 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |