BIT-golang-2023-45288

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/golang/BIT-golang-2023-45288.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-golang-2023-45288
Aliases
Published
2024-04-06T18:19:39.789Z
Modified
2024-10-15T05:57:11.509390Z
Summary
[none]
Details

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

References

Affected packages

Bitnami / golang

Package

Name
golang
Purl
pkg:bitnami/golang

Severity

  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.21.9
Introduced
1.22.0-0
Fixed
1.22.2