cve-2023-24534
Vulnerability from cvelistv5
Published
2023-04-06 15:50
Modified
2024-08-02 11:03
Severity ?
Summary
Excessive memory allocation in net/http and net/textproto
References
security@golang.orghttps://go.dev/cl/481994Patch, Vendor Advisory
security@golang.orghttps://go.dev/issue/58975Issue Tracking, Vendor Advisory
security@golang.orghttps://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8Mailing List, Patch
security@golang.orghttps://pkg.go.dev/vuln/GO-2023-1704Vendor Advisory
security@golang.orghttps://security.gentoo.org/glsa/202311-09
security@golang.orghttps://security.netapp.com/advisory/ntap-20230526-0007/
Impacted products
Go standard librarynet/textproto
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:03:17.787Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/58975"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/481994"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-1704"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230526-0007/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/textproto",
          "product": "net/textproto",
          "programRoutines": [
            {
              "name": "readMIMEHeader"
            },
            {
              "name": "Reader.upcomingHeaderNewlines"
            },
            {
              "name": "Reader.ReadMIMEHeader"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.19.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.20.3",
              "status": "affected",
              "version": "1.20.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakob Ackermann (@das7pad)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-12T19:08:10.543Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/58975"
        },
        {
          "url": "https://go.dev/cl/481994"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-1704"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230526-0007/"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        }
      ],
      "title": "Excessive memory allocation in net/http and net/textproto"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2023-24534",
    "datePublished": "2023-04-06T15:50:45.710Z",
    "dateReserved": "2023-01-25T21:19:20.642Z",
    "dateUpdated": "2024-08-02T11:03:17.787Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-24534\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2023-04-06T16:15:07.657\",\"lastModified\":\"2023-11-25T11:15:14.030\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.19.8\",\"matchCriteriaId\":\"5932E25E-7F00-4D6E-AFF8-4C5797AE628B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.20.0\",\"versionEndExcluding\":\"1.20.3\",\"matchCriteriaId\":\"66CADC8B-8F8A-493C-8819-852F0AE224AC\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/481994\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://go.dev/issue/58975\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8\",\"source\":\"security@golang.org\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2023-1704\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202311-09\",\"source\":\"security@golang.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20230526-0007/\",\"source\":\"security@golang.org\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.