cve-2023-39326
Vulnerability from cvelistv5
Published
2023-12-06 16:27
Modified
2024-08-02 18:02
Severity
Summary
Denial of service via chunk extensions in net/http
References
SourceURLTags
security@golang.orghttps://go.dev/cl/547335Patch
security@golang.orghttps://go.dev/issue/64433Issue Tracking, Patch, Vendor Advisory
security@golang.orghttps://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJMailing List, Vendor Advisory
security@golang.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/
security@golang.orghttps://pkg.go.dev/vuln/GO-2023-2382Patch, Vendor Advisory
Impacted products
VendorProduct
Go standard librarynet/http/internal
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:02:06.808Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/64433"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/547335"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-2382"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/http/internal",
          "product": "net/http/internal",
          "programRoutines": [
            {
              "name": "chunkedReader.beginChunk"
            },
            {
              "name": "readChunkLine"
            },
            {
              "name": "chunkedReader.Read"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.20.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.21.5",
              "status": "affected",
              "version": "1.21.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Bartek Nowotarski"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-06T16:27:53.832Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/64433"
        },
        {
          "url": "https://go.dev/cl/547335"
        },
        {
          "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-2382"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/"
        }
      ],
      "title": "Denial of service via chunk extensions in net/http"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2023-39326",
    "datePublished": "2023-12-06T16:27:53.832Z",
    "dateReserved": "2023-07-27T17:05:55.188Z",
    "dateUpdated": "2024-08-02T18:02:06.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-39326\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2023-12-06T17:15:07.147\",\"lastModified\":\"2024-01-20T04:15:07.890\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.\"},{\"lang\":\"es\",\"value\":\"Un remitente HTTP malicioso puede usar extensiones de fragmentos para hacer que un receptor que lea el cuerpo de una solicitud o respuesta lea muchos m\u00e1s bytes de la red que los que hay en el cuerpo. Un cliente HTTP malicioso puede aprovechar esto a\u00fan m\u00e1s para hacer que un servidor lea autom\u00e1ticamente una gran cantidad de datos (hasta aproximadamente 1 GiB) cuando un controlador no puede leer el cuerpo completo de una solicitud. Las extensiones fragmentadas son una caracter\u00edstica HTTP poco utilizada que permite incluir metadatos adicionales en el cuerpo de una solicitud o respuesta enviada utilizando la codificaci\u00f3n fragmentada. El lector de codificaci\u00f3n fragmentada net/http descarta estos metadatos. Un remitente puede aprovechar esto insertando un segmento de metadatos grande con cada byte transferido. El lector de fragmentos ahora produce un error si la proporci\u00f3n entre el cuerpo real y los bytes codificados es demasiado peque\u00f1a.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.20.12\",\"matchCriteriaId\":\"17AC9A37-6678-490D-88C2-08DE6D37F16C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.21.0-0\",\"versionEndExcluding\":\"1.21.5\",\"matchCriteriaId\":\"F9B8295D-576D-410E-B65C-96DB303CBA5C\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/547335\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/64433\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ\",\"source\":\"security@golang.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/\",\"source\":\"security@golang.org\"},{\"url\":\"https://pkg.go.dev/vuln/GO-2023-2382\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.