gsd-2023-45288
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Aliases
Aliases
CVE-2023-45288


To clipboard 

{
  "GSD": {
    "alias": "CVE-2023-45288",
    "id": "GSD-2023-45288"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-45288"
      ],
      "details": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request\u0027s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.",
      "id": "GSD-2023-45288",
      "modified": "2023-12-13T01:20:38.271432Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@golang.org",
        "ID": "CVE-2023-45288",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "net/http",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "1.21.9"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "1.22.0-0",
                          "version_value": "1.22.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Go standard library"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "golang.org/x/net/http2",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "0.23.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "golang.org/x/net"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "Bartek Nowotarski (https://nowotarski.info/)"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request\u0027s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-400: Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://go.dev/issue/65051",
            "refsource": "MISC",
            "url": "https://go.dev/issue/65051"
          },
          {
            "name": "https://go.dev/cl/576155",
            "refsource": "MISC",
            "url": "https://go.dev/cl/576155"
          },
          {
            "name": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M",
            "refsource": "MISC",
            "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
          },
          {
            "name": "https://pkg.go.dev/vuln/GO-2024-2687",
            "refsource": "MISC",
            "url": "https://pkg.go.dev/vuln/GO-2024-2687"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20240419-0009/",
            "refsource": "MISC",
            "url": "https://security.netapp.com/advisory/ntap-20240419-0009/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request\u0027s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection."
          },
          {
            "lang": "es",
            "value": "Un atacante puede hacer que un endpoint HTTP/2 lea cantidades arbitrarias de datos de encabezado enviando una cantidad excesiva de tramas de CONTINUACI\u00d3N. Mantener el estado de HPACK requiere analizar y procesar todos los encabezados y tramas de CONTINUACI\u00d3N en una conexi\u00f3n. Cuando los encabezados de una solicitud exceden MaxHeaderBytes, no se asigna memoria para almacenar los encabezados sobrantes, pero a\u00fan as\u00ed se analizan. Esto permite a un atacante hacer que un endpoint HTTP/2 lea cantidades arbitrarias de datos de encabezado, todos asociados con una solicitud que ser\u00e1 rechazada. Estos encabezados pueden incluir datos codificados por Huffman, cuya decodificaci\u00f3n es significativamente m\u00e1s costosa para el receptor que para el atacante. La soluci\u00f3n establece un l\u00edmite en la cantidad de fotogramas de encabezado excedentes que procesaremos antes de cerrar una conexi\u00f3n."
          }
        ],
        "id": "CVE-2023-45288",
        "lastModified": "2024-04-25T06:15:52.357",
        "metrics": {},
        "published": "2024-04-04T21:15:16.113",
        "references": [
          {
            "source": "security@golang.org",
            "url": "https://go.dev/cl/576155"
          },
          {
            "source": "security@golang.org",
            "url": "https://go.dev/issue/65051"
          },
          {
            "source": "security@golang.org",
            "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
          },
          {
            "source": "security@golang.org",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"
          },
          {
            "source": "security@golang.org",
            "url": "https://pkg.go.dev/vuln/GO-2024-2687"
          },
          {
            "source": "security@golang.org",
            "url": "https://security.netapp.com/advisory/ntap-20240419-0009/"
          }
        ],
        "sourceIdentifier": "security@golang.org",
        "vulnStatus": "Awaiting Analysis"
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.