Vulnerabilites related to golang.org/x/net - golang.org/x/net/http2/hpack
cve-2022-41723
Vulnerability from cvelistv5
Published
2023-02-28 17:19
Modified
2025-02-13 16:33
Severity ?
EPSS score ?
Summary
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Go standard library | net/http |
Version: 0 ≤ Version: 1.20.0-0 ≤ |
|||||||||||
|
||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:49:43.617Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "https://security.netapp.com/advisory/ntap-20230331-0010/", }, { tags: [ "x_transferred", ], url: "https://go.dev/issue/57855", }, { tags: [ "x_transferred", ], url: "https://go.dev/cl/468135", }, { tags: [ "x_transferred", ], url: "https://go.dev/cl/468295", }, { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2023-1571", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/", }, { tags: [ "x_transferred", ], url: "https://www.couchbase.com/alerts/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/", }, { tags: [ "x_transferred", ], url: "https://security.gentoo.org/glsa/202311-09", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "net/http", product: "net/http", programRoutines: [ { name: "Transport.RoundTrip", }, { name: "Server.Serve", }, { name: "Client.Do", }, { name: "Client.Get", }, { name: "Client.Head", }, { name: "Client.Post", }, { name: "Client.PostForm", }, { name: "Get", }, { name: "Head", }, { name: "ListenAndServe", }, { name: "ListenAndServeTLS", }, { name: "Post", }, { name: "PostForm", }, { name: "Serve", }, { name: "ServeTLS", }, { name: "Server.ListenAndServe", }, { name: "Server.ListenAndServeTLS", }, { name: "Server.ServeTLS", }, ], vendor: "Go standard library", versions: [ { lessThan: "1.19.6", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.20.1", status: "affected", version: "1.20.0-0", versionType: "semver", }, ], }, { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "golang.org/x/net/http2", product: "golang.org/x/net/http2", programRoutines: [ { name: "Transport.RoundTrip", }, { name: "Server.ServeConn", }, { name: "ClientConn.Close", }, { name: "ClientConn.Ping", }, { name: "ClientConn.RoundTrip", }, { name: "ClientConn.Shutdown", }, { name: "ConfigureServer", }, { name: "ConfigureTransport", }, { name: "ConfigureTransports", }, { name: "ConnectionError.Error", }, { name: "ErrCode.String", }, { name: "FrameHeader.String", }, { name: "FrameType.String", }, { name: "FrameWriteRequest.String", }, { name: "Framer.ReadFrame", }, { name: "Framer.WriteContinuation", }, { name: "Framer.WriteData", }, { name: "Framer.WriteDataPadded", }, { name: "Framer.WriteGoAway", }, { name: "Framer.WriteHeaders", }, { name: "Framer.WritePing", }, { name: "Framer.WritePriority", }, { name: "Framer.WritePushPromise", }, { name: "Framer.WriteRSTStream", }, { name: "Framer.WriteRawFrame", }, { name: "Framer.WriteSettings", }, { name: "Framer.WriteSettingsAck", }, { name: "Framer.WriteWindowUpdate", }, { name: "GoAwayError.Error", }, { name: "ReadFrameHeader", }, { name: "Setting.String", }, { name: "SettingID.String", }, { name: "SettingsFrame.ForeachSetting", }, { name: "StreamError.Error", }, { name: "Transport.CloseIdleConnections", }, { name: "Transport.NewClientConn", }, { name: "Transport.RoundTripOpt", }, { name: "bufferedWriter.Flush", }, { name: "bufferedWriter.Write", }, { name: "chunkWriter.Write", }, { name: "clientConnPool.GetClientConn", }, { name: "connError.Error", }, { name: "dataBuffer.Read", }, { name: "duplicatePseudoHeaderError.Error", }, { name: "gzipReader.Close", }, { name: "gzipReader.Read", }, { name: "headerFieldNameError.Error", }, { name: "headerFieldValueError.Error", }, { name: "noDialClientConnPool.GetClientConn", }, { name: "noDialH2RoundTripper.RoundTrip", }, { name: "pipe.Read", }, { name: "priorityWriteScheduler.CloseStream", }, { name: "priorityWriteScheduler.OpenStream", }, { name: "pseudoHeaderError.Error", }, { name: "requestBody.Close", }, { name: "requestBody.Read", }, { name: "responseWriter.Flush", }, { name: "responseWriter.FlushError", }, { name: "responseWriter.Push", }, { name: "responseWriter.SetReadDeadline", }, { name: "responseWriter.SetWriteDeadline", }, { name: "responseWriter.Write", }, { name: "responseWriter.WriteHeader", }, { name: "responseWriter.WriteString", }, { name: "serverConn.CloseConn", }, { name: "serverConn.Flush", }, { name: "stickyErrWriter.Write", }, { name: "transportResponseBody.Close", }, { name: "transportResponseBody.Read", }, { name: "writeData.String", }, ], vendor: "golang.org/x/net", versions: [ { lessThan: "0.7.0", status: "affected", version: "0", versionType: "semver", }, ], }, { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "golang.org/x/net/http2/hpack", product: "golang.org/x/net/http2/hpack", programRoutines: [ { name: "Decoder.parseFieldLiteral", }, { name: "Decoder.readString", }, { name: "Decoder.DecodeFull", }, { name: "Decoder.Write", }, ], vendor: "golang.org/x/net", versions: [ { lessThan: "0.7.0", status: "affected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Philippe Antoine (Catena cyber)", }, ], descriptions: [ { lang: "en", value: "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", }, ], problemTypes: [ { descriptions: [ { description: "CWE 400: Uncontrolled Resource Consumption", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-25T11:09:48.448Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/issue/57855", }, { url: "https://go.dev/cl/468135", }, { url: "https://go.dev/cl/468295", }, { url: "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E", }, { url: "https://pkg.go.dev/vuln/GO-2023-1571", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/", }, { url: "https://www.couchbase.com/alerts/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/", }, { url: "https://security.gentoo.org/glsa/202311-09", }, ], title: "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2022-41723", datePublished: "2023-02-28T17:19:45.801Z", dateReserved: "2022-09-28T17:00:06.610Z", dateUpdated: "2025-02-13T16:33:09.341Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }