gsd-2023-45290
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-45290",
"id": "GSD-2023-45290"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-45290"
],
"details": "When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.",
"id": "GSD-2023-45290",
"modified": "2023-12-13T01:20:37.792804Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@golang.org",
"ID": "CVE-2023-45290",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "net/textproto",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0",
"version_value": "1.21.8"
},
{
"version_affected": "\u003c",
"version_name": "1.22.0-0",
"version_value": "1.22.1"
}
]
}
}
]
},
"vendor_name": "Go standard library"
}
]
}
},
"credits": [
{
"lang": "en",
"value": "Bartek Nowotarski"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://go.dev/issue/65383",
"refsource": "MISC",
"url": "https://go.dev/issue/65383"
},
{
"name": "https://go.dev/cl/569341",
"refsource": "MISC",
"url": "https://go.dev/cl/569341"
},
{
"name": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg",
"refsource": "MISC",
"url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg"
},
{
"name": "https://pkg.go.dev/vuln/GO-2024-2599",
"refsource": "MISC",
"url": "https://pkg.go.dev/vuln/GO-2024-2599"
},
{
"name": "https://security.netapp.com/advisory/ntap-20240329-0004/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20240329-0004/"
}
]
}
},
"nvd.nist.gov": {
"cve": {
"descriptions": [
{
"lang": "en",
"value": "When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines."
},
{
"lang": "es",
"value": "Al analizar un formulario de varias partes (ya sea expl\u00edcitamente con Request.ParseMultipartForm o impl\u00edcitamente con Request.FormValue, Request.PostFormValue o Request.FormFile), no se aplicaron l\u00edmites en el tama\u00f1o total del formulario analizado a la memoria consumida al leer un solo formulario l\u00ednea. Esto permite que una entrada creada con fines malintencionados que contenga l\u00edneas muy largas provoque la asignaci\u00f3n de cantidades de memoria arbitrariamente grandes, lo que podr\u00eda provocar un agotamiento de la memoria. Con la correcci\u00f3n, la funci\u00f3n ParseMultipartForm ahora limita correctamente el tama\u00f1o m\u00e1ximo de las l\u00edneas del formulario."
}
],
"id": "CVE-2023-45290",
"lastModified": "2024-03-29T13:15:13.957",
"metrics": {},
"published": "2024-03-05T23:15:07.210",
"references": [
{
"source": "security@golang.org",
"url": "https://go.dev/cl/569341"
},
{
"source": "security@golang.org",
"url": "https://go.dev/issue/65383"
},
{
"source": "security@golang.org",
"url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg"
},
{
"source": "security@golang.org",
"url": "https://pkg.go.dev/vuln/GO-2024-2599"
},
{
"source": "security@golang.org",
"url": "https://security.netapp.com/advisory/ntap-20240329-0004/"
}
],
"sourceIdentifier": "security@golang.org",
"vulnStatus": "Awaiting Analysis"
}
}
}
}
Loading...