gsd-2023-45290
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
Aliases
Aliases
CVE-2023-45290


To clipboard 

{
  "GSD": {
    "alias": "CVE-2023-45290",
    "id": "GSD-2023-45290"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-45290"
      ],
      "details": "When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.",
      "id": "GSD-2023-45290",
      "modified": "2023-12-13T01:20:37.792804Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@golang.org",
        "ID": "CVE-2023-45290",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "net/textproto",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "1.21.8"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "1.22.0-0",
                          "version_value": "1.22.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Go standard library"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "Bartek Nowotarski"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-400: Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://go.dev/issue/65383",
            "refsource": "MISC",
            "url": "https://go.dev/issue/65383"
          },
          {
            "name": "https://go.dev/cl/569341",
            "refsource": "MISC",
            "url": "https://go.dev/cl/569341"
          },
          {
            "name": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg",
            "refsource": "MISC",
            "url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg"
          },
          {
            "name": "https://pkg.go.dev/vuln/GO-2024-2599",
            "refsource": "MISC",
            "url": "https://pkg.go.dev/vuln/GO-2024-2599"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20240329-0004/",
            "refsource": "MISC",
            "url": "https://security.netapp.com/advisory/ntap-20240329-0004/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines."
          },
          {
            "lang": "es",
            "value": "Al analizar un formulario de varias partes (ya sea expl\u00edcitamente con Request.ParseMultipartForm o impl\u00edcitamente con Request.FormValue, Request.PostFormValue o Request.FormFile), no se aplicaron l\u00edmites en el tama\u00f1o total del formulario analizado a la memoria consumida al leer un solo formulario l\u00ednea. Esto permite que una entrada creada con fines malintencionados que contenga l\u00edneas muy largas provoque la asignaci\u00f3n de cantidades de memoria arbitrariamente grandes, lo que podr\u00eda provocar un agotamiento de la memoria. Con la correcci\u00f3n, la funci\u00f3n ParseMultipartForm ahora limita correctamente el tama\u00f1o m\u00e1ximo de las l\u00edneas del formulario."
          }
        ],
        "id": "CVE-2023-45290",
        "lastModified": "2024-03-29T13:15:13.957",
        "metrics": {},
        "published": "2024-03-05T23:15:07.210",
        "references": [
          {
            "source": "security@golang.org",
            "url": "https://go.dev/cl/569341"
          },
          {
            "source": "security@golang.org",
            "url": "https://go.dev/issue/65383"
          },
          {
            "source": "security@golang.org",
            "url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg"
          },
          {
            "source": "security@golang.org",
            "url": "https://pkg.go.dev/vuln/GO-2024-2599"
          },
          {
            "source": "security@golang.org",
            "url": "https://security.netapp.com/advisory/ntap-20240329-0004/"
          }
        ],
        "sourceIdentifier": "security@golang.org",
        "vulnStatus": "Awaiting Analysis"
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.