RHSA-2023_3167 - Vulnerability-Lookup

RHSA-2023_3167

Vulnerability from csaf_redhat - Published: 2023-05-18 12:12 - Updated: 2024-12-17 22:19

Summary

Red Hat Security Advisory: Red Hat build of Cryostat 2.3.0: new RHEL 8 container images

Severity

Moderate

Notes

Topic: New Red Hat build of Cryostat 2.3.0 on RHEL 8 container images are now available

Details: New Red Hat build of Cryostat 2.3.0 on RHEL 8 container images have been released, adding a variety of features and bug fixes. Users of the Red Hat build of Cryostat 2.2.1 on RHEL 8 container images are advised to upgrade to these updated images, which contain backported patches to fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images. You can find images updated by this advisory in Red Hat Container Catalog (see References).

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2022-41723

A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:3167

CVE-2022-41724

A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:3167

CVE-2022-41725

A flaw was found in Go, where it is vulnerable to a denial of service caused by an excessive resource consumption flaw in the net/http and mime/multipart packages. By sending a specially-crafted request, a remote attacker can cause a denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:3167

CVE-2023-24534

A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:3167

CVE-2023-24536

A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an issue during multipart form parsing. By sending a specially crafted input, a remote attacker can consume large amounts of CPU and memory, resulting in a denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:3167

CVE-2023-24537

A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an infinite loop due to integer overflow when calling any of the Parse functions. By sending a specially crafted input, a remote attacker can cause a denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:3167

References

URL

Category

	https://access.redhat.com/errata/RHSA-2023:3167	self
	https://access.redhat.com/security/updates/classi…	external
	https://catalog.redhat.com/	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2178358	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2178488	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2178492	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2184482	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2184483	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2184484	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2022-41723	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2178358	external
	https://www.cve.org/CVERecord?id=CVE-2022-41723	external
	https://nvd.nist.gov/vuln/detail/CVE-2022-41723	external
	https://github.com/advisories/GHSA-vvpx-j8f3-3w6h	external
	https://go.dev/cl/468135	external
	https://go.dev/cl/468295	external
	https://go.dev/issue/57855	external
	https://groups.google.com/g/golang-announce/c/V0a…	external
	https://pkg.go.dev/vuln/GO-2023-1571	external
	https://vuln.go.dev/ID/GO-2023-1571.json	external
	https://access.redhat.com/security/cve/CVE-2022-41724	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2178492	external
	https://www.cve.org/CVERecord?id=CVE-2022-41724	external
	https://nvd.nist.gov/vuln/detail/CVE-2022-41724	external
	https://go.dev/cl/468125	external
	https://go.dev/issue/58001	external
	https://pkg.go.dev/vuln/GO-2023-1570	external
	https://access.redhat.com/security/cve/CVE-2022-41725	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2178488	external
	https://www.cve.org/CVERecord?id=CVE-2022-41725	external
	https://nvd.nist.gov/vuln/detail/CVE-2022-41725	external
	https://go.dev/cl/468124	external
	https://go.dev/issue/58006	external
	https://pkg.go.dev/vuln/GO-2023-1569	external
	https://access.redhat.com/security/cve/CVE-2023-24534	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2184483	external
	https://www.cve.org/CVERecord?id=CVE-2023-24534	external
	https://nvd.nist.gov/vuln/detail/CVE-2023-24534	external
	https://go.dev/issue/58975	external
	https://groups.google.com/g/golang-announce/c/Xdv…	external
	https://access.redhat.com/security/cve/CVE-2023-24536	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2184482	external
	https://www.cve.org/CVERecord?id=CVE-2023-24536	external
	https://nvd.nist.gov/vuln/detail/CVE-2023-24536	external
	https://go.dev/issue/59153	external
	https://access.redhat.com/security/cve/CVE-2023-24537	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2184484	external
	https://www.cve.org/CVERecord?id=CVE-2023-24537	external
	https://nvd.nist.gov/vuln/detail/CVE-2023-24537	external
	https://github.com/golang/go/issues/59180	external

Acknowledgments

Catena Cyber Philippe Antoine

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "New Red Hat build of Cryostat 2.3.0 on RHEL 8 container images are now available",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "New Red Hat build of Cryostat 2.3.0 on RHEL 8 container images have been released, adding a variety of features and bug fixes.\n\nUsers of the Red Hat build of Cryostat 2.2.1 on RHEL 8 container images are advised to upgrade to these updated images, which contain backported patches to fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.\n\nYou can find images updated by this advisory in Red Hat Container Catalog (see References).",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:3167",
        "url": "https://access.redhat.com/errata/RHSA-2023:3167"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://catalog.redhat.com/",
        "url": "https://catalog.redhat.com/"
      },
      {
        "category": "external",
        "summary": "2178358",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178358"
      },
      {
        "category": "external",
        "summary": "2178488",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178488"
      },
      {
        "category": "external",
        "summary": "2178492",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178492"
      },
      {
        "category": "external",
        "summary": "2184482",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184482"
      },
      {
        "category": "external",
        "summary": "2184483",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184483"
      },
      {
        "category": "external",
        "summary": "2184484",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184484"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3167.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat build of Cryostat 2.3.0: new RHEL 8 container images",
    "tracking": {
      "current_release_date": "2024-12-17T22:19:24+00:00",
      "generator": {
        "date": "2024-12-17T22:19:24+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.3"
        }
      },
      "id": "RHSA-2023:3167",
      "initial_release_date": "2023-05-18T12:12:25+00:00",
      "revision_history": [
        {
          "date": "2023-05-18T12:12:25+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-05-18T12:12:25+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-12-17T22:19:24+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Cryostat 2 on RHEL 8",
                "product": {
                  "name": "Cryostat 2 on RHEL 8",
                  "product_id": "8Base-Cryostat-2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:cryostat:2::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Cryostat"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
                "product": {
                  "name": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
                  "product_id": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979?arch=amd64\u0026repository_url=registry.redhat.io/cryostat-tech-preview/cryostat-grafana-dashboard-rhel8\u0026tag=2.3.0-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
                "product": {
                  "name": "cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
                  "product_id": "cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f?arch=amd64\u0026repository_url=registry.redhat.io/cryostat-tech-preview/cryostat-reports-rhel8\u0026tag=2.3.0-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
                "product": {
                  "name": "cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
                  "product_id": "cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81?arch=amd64\u0026repository_url=registry.redhat.io/cryostat-tech-preview/cryostat-rhel8\u0026tag=2.3.0-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
                "product": {
                  "name": "cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
                  "product_id": "cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60?arch=amd64\u0026repository_url=registry.redhat.io/cryostat-tech-preview/cryostat-operator-bundle\u0026tag=2.3.0-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
                "product": {
                  "name": "cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
                  "product_id": "cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c?arch=amd64\u0026repository_url=registry.redhat.io/cryostat-tech-preview/cryostat-rhel8-operator\u0026tag=2.3.0-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64",
                "product": {
                  "name": "cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64",
                  "product_id": "cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f?arch=amd64\u0026repository_url=registry.redhat.io/cryostat-tech-preview/jfr-datasource-rhel8\u0026tag=2.3.0-5"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64 as a component of Cryostat 2 on RHEL 8",
          "product_id": "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64"
        },
        "product_reference": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
        "relates_to_product_reference": "8Base-Cryostat-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64 as a component of Cryostat 2 on RHEL 8",
          "product_id": "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64"
        },
        "product_reference": "cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
        "relates_to_product_reference": "8Base-Cryostat-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64 as a component of Cryostat 2 on RHEL 8",
          "product_id": "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64"
        },
        "product_reference": "cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
        "relates_to_product_reference": "8Base-Cryostat-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64 as a component of Cryostat 2 on RHEL 8",
          "product_id": "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64"
        },
        "product_reference": "cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
        "relates_to_product_reference": "8Base-Cryostat-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64 as a component of Cryostat 2 on RHEL 8",
          "product_id": "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64"
        },
        "product_reference": "cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
        "relates_to_product_reference": "8Base-Cryostat-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64 as a component of Cryostat 2 on RHEL 8",
          "product_id": "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
        },
        "product_reference": "cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64",
        "relates_to_product_reference": "8Base-Cryostat-2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Philippe Antoine"
          ],
          "organization": "Catena Cyber"
        }
      ],
      "cve": "CVE-2022-41723",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-03-14T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2178358"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Within OpenShift Container Platform, the maximum impact of this vulnerability is a denial of service against an individual container so the impact could not cascade across the entire infrastructure, this vulnerability is rated Moderate impact.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-41723"
        },
        {
          "category": "external",
          "summary": "RHBZ#2178358",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178358"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41723",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-vvpx-j8f3-3w6h",
          "url": "https://github.com/advisories/GHSA-vvpx-j8f3-3w6h"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/468135",
          "url": "https://go.dev/cl/468135"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/468295",
          "url": "https://go.dev/cl/468295"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/57855",
          "url": "https://go.dev/issue/57855"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E",
          "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-1571",
          "url": "https://pkg.go.dev/vuln/GO-2023-1571"
        },
        {
          "category": "external",
          "summary": "https://vuln.go.dev/ID/GO-2023-1571.json",
          "url": "https://vuln.go.dev/ID/GO-2023-1571.json"
        }
      ],
      "release_date": "2023-02-17T14:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-05-18T12:12:25+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3167"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding"
    },
    {
      "cve": "CVE-2022-41724",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-03-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2178492"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: crypto/tls: large handshake records may cause panics",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The opportunity for a denial of service is limited to the golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-41724"
        },
        {
          "category": "external",
          "summary": "RHBZ#2178492",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178492"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41724",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-41724"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41724",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41724"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/468125",
          "url": "https://go.dev/cl/468125"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/58001",
          "url": "https://go.dev/issue/58001"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E",
          "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-1570",
          "url": "https://pkg.go.dev/vuln/GO-2023-1570"
        }
      ],
      "release_date": "2023-02-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-05-18T12:12:25+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3167"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: crypto/tls: large handshake records may cause panics"
    },
    {
      "cve": "CVE-2022-41725",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-03-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2178488"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Go, where it is vulnerable to a denial of service caused by an excessive resource consumption flaw in the net/http and mime/multipart packages. By sending a specially-crafted request, a remote attacker can cause a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: net/http, mime/multipart: denial of service from excessive resource consumption",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-41725"
        },
        {
          "category": "external",
          "summary": "RHBZ#2178488",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178488"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41725",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-41725"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41725",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41725"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/468124",
          "url": "https://go.dev/cl/468124"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/58006",
          "url": "https://go.dev/issue/58006"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E",
          "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-1569",
          "url": "https://pkg.go.dev/vuln/GO-2023-1569"
        }
      ],
      "release_date": "2023-02-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-05-18T12:12:25+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3167"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: net/http, mime/multipart: denial of service from excessive resource consumption"
    },
    {
      "cve": "CVE-2023-24534",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-04-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2184483"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: net/http, net/textproto: denial of service from excessive memory allocation",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-24534"
        },
        {
          "category": "external",
          "summary": "RHBZ#2184483",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184483"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-24534",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-24534"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/58975",
          "url": "https://go.dev/issue/58975"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8",
          "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
        }
      ],
      "release_date": "2023-04-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-05-18T12:12:25+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3167"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: net/http, net/textproto: denial of service from excessive memory allocation"
    },
    {
      "cve": "CVE-2023-24536",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-04-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2184482"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an issue during multipart form parsing. By sending a specially crafted input, a remote attacker can consume large amounts of CPU and memory, resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "For Red Hat Enterprise Linux,\n\n* Conmon uses Go in unit testing, but not functionally in the package. Go is used only in test files, hence, not in the actual code, thus, conmon is not-affected.\n* The CVE refers to multipart form parsing routine mime/multipart.Reader.ReadForm, which is not used in Grafana, hence it is not-affected.\n* Butane does not parse multipart forms, hence, it is also not-affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-24536"
        },
        {
          "category": "external",
          "summary": "RHBZ#2184482",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184482"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-24536",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-24536"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24536",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24536"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/59153",
          "url": "https://go.dev/issue/59153"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8",
          "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
        }
      ],
      "release_date": "2023-04-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-05-18T12:12:25+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3167"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption"
    },
    {
      "cve": "CVE-2023-24537",
      "cwe": {
        "id": "CWE-835",
        "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
      },
      "discovery_date": "2023-04-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2184484"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an infinite loop due to integer overflow when calling any of the Parse functions. By sending a specially crafted input, a remote attacker can cause a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: go/parser: Infinite loop in parsing",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-24537"
        },
        {
          "category": "external",
          "summary": "RHBZ#2184484",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184484"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-24537",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-24537"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24537",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24537"
        },
        {
          "category": "external",
          "summary": "https://github.com/golang/go/issues/59180",
          "url": "https://github.com/golang/go/issues/59180"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8",
          "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
        }
      ],
      "release_date": "2023-04-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-05-18T12:12:25+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3167"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c0bd96a3e451ee82a5874e56b34156050452ff7fbafaf192b5991b825e6dd979_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:d5dc8178232bc360954311bfc28fbbf0ead2144a73b289b0308f27d9c3379b60_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:21c64326fda1bf605b430844634fd456f3ebbafd7539c18356ee0ceb204f614f_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:91b3cf3508eff9ebc86b40aed0e9216caf2120d68ce2dfa178094733153b467c_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:e207cee8c61092f6c8e75b3a4aea220d248ec24169da45864c948a966d686f81_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:5156043fce0f9130235c7cf9cdb19545620524dac856f6638dff72735647206f_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: go/parser: Infinite loop in parsing"
    }
  ]
}

CVE-2022-41725 (GCVE-0-2022-41725)

Vulnerability from cvelistv5 – Published: 2023-02-28 17:19 – Updated: 2025-03-07 17:58

Title

Excessive resource consumption in mime/multipart

Summary

A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.

Severity ?

No CVSS data available.

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

Go

References

URL

Tags

	https://go.dev/issue/58006
	https://go.dev/cl/468124
	https://groups.google.com/g/golang-announce/c/V0a…
	https://pkg.go.dev/vuln/GO-2023-1569
	https://security.gentoo.org/glsa/202311-09

Impacted products

	Vendor	Product	Version
	Go standard library	mime/multipart	Affected: 0 , < 1.19.6 (semver) Affected: 1.20.0-0 , < 1.20.1 (semver)

Credits

Arpad Ryszka Jakob Ackermann (@das7pad)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:49:43.723Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/58006"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/468124"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-1569"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-41725",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-07T17:57:52.557641Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-07T17:58:06.747Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "mime/multipart",
          "product": "mime/multipart",
          "programRoutines": [
            {
              "name": "Reader.ReadForm"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.19.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.20.1",
              "status": "affected",
              "version": "1.20.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Arpad Ryszka"
        },
        {
          "lang": "en",
          "value": "Jakob Ackermann (@das7pad)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing \"up to maxMemory bytes +10MB (reserved for non-file parts) in memory\". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type\u0027s documentation states, \"If stored on disk, the File\u0027s underlying concrete type will be an *os.File.\". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-25T11:09:27.308Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/58006"
        },
        {
          "url": "https://go.dev/cl/468124"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-1569"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        }
      ],
      "title": "Excessive resource consumption in mime/multipart"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2022-41725",
    "datePublished": "2023-02-28T17:19:42.989Z",
    "dateReserved": "2022-09-28T17:02:29.447Z",
    "dateUpdated": "2025-03-07T17:58:06.747Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-24534 (GCVE-0-2023-24534)

Vulnerability from cvelistv5 – Published: 2023-04-06 15:50 – Updated: 2025-02-13 16:44

Title

Excessive memory allocation in net/http and net/textproto

Summary

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

Go

References

URL

Tags

	https://go.dev/issue/58975
	https://go.dev/cl/481994
	https://groups.google.com/g/golang-announce/c/Xdv…
	https://pkg.go.dev/vuln/GO-2023-1704
	https://security.netapp.com/advisory/ntap-2023052…
	https://security.gentoo.org/glsa/202311-09

Impacted products

	Vendor	Product	Version
	Go standard library	net/textproto	Affected: 0 , < 1.19.8 (semver) Affected: 1.20.0-0 , < 1.20.3 (semver)

Credits

Jakob Ackermann (@das7pad)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:03:17.787Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/58975"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/481994"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-1704"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230526-0007/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-24534",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-12T17:14:51.815762Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T17:15:47.401Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/textproto",
          "product": "net/textproto",
          "programRoutines": [
            {
              "name": "readMIMEHeader"
            },
            {
              "name": "Reader.upcomingHeaderNewlines"
            },
            {
              "name": "Reader.ReadMIMEHeader"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.19.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.20.3",
              "status": "affected",
              "version": "1.20.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakob Ackermann (@das7pad)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-25T11:10:11.790Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/58975"
        },
        {
          "url": "https://go.dev/cl/481994"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-1704"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230526-0007/"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        }
      ],
      "title": "Excessive memory allocation in net/http and net/textproto"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2023-24534",
    "datePublished": "2023-04-06T15:50:45.710Z",
    "dateReserved": "2023-01-25T21:19:20.642Z",
    "dateUpdated": "2025-02-13T16:44:17.255Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-41724 (GCVE-0-2022-41724)

Vulnerability from cvelistv5 – Published: 2023-02-28 17:19 – Updated: 2025-03-07 17:57

Title

Panic on large handshake records in crypto/tls

Summary

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

Severity ?

No CVSS data available.

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

Go

References

URL

Tags

	https://go.dev/issue/58001
	https://go.dev/cl/468125
	https://groups.google.com/g/golang-announce/c/V0a…
	https://pkg.go.dev/vuln/GO-2023-1570
	https://security.gentoo.org/glsa/202311-09

Impacted products

	Vendor	Product	Version
	Go standard library	crypto/tls	Affected: 0 , < 1.19.6 (semver) Affected: 1.20.0-0 , < 1.20.1 (semver)

Credits

Marten Seemann

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:49:43.929Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/58001"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/468125"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-1570"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-41724",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-07T17:56:50.422222Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-07T17:57:05.605Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/tls",
          "product": "crypto/tls",
          "programRoutines": [
            {
              "name": "handshakeMessage.marshal"
            },
            {
              "name": "Conn.writeRecord"
            },
            {
              "name": "Conn.readHandshake"
            },
            {
              "name": "Conn.handleRenegotiation"
            },
            {
              "name": "Conn.handlePostHandshakeMessage"
            },
            {
              "name": "Conn.handleKeyUpdate"
            },
            {
              "name": "Conn.clientHandshake"
            },
            {
              "name": "Conn.loadSession"
            },
            {
              "name": "clientHandshakeState.handshake"
            },
            {
              "name": "clientHandshakeState.doFullHandshake"
            },
            {
              "name": "clientHandshakeState.readFinished"
            },
            {
              "name": "clientHandshakeState.readSessionTicket"
            },
            {
              "name": "clientHandshakeState.sendFinished"
            },
            {
              "name": "clientHandshakeStateTLS13.handshake"
            },
            {
              "name": "clientHandshakeStateTLS13.sendDummyChangeCipherSpec"
            },
            {
              "name": "clientHandshakeStateTLS13.processHelloRetryRequest"
            },
            {
              "name": "clientHandshakeStateTLS13.readServerParameters"
            },
            {
              "name": "clientHandshakeStateTLS13.readServerCertificate"
            },
            {
              "name": "clientHandshakeStateTLS13.readServerFinished"
            },
            {
              "name": "clientHandshakeStateTLS13.sendClientCertificate"
            },
            {
              "name": "clientHandshakeStateTLS13.sendClientFinished"
            },
            {
              "name": "clientHelloMsg.marshal"
            },
            {
              "name": "clientHelloMsg.marshalWithoutBinders"
            },
            {
              "name": "clientHelloMsg.updateBinders"
            },
            {
              "name": "serverHelloMsg.marshal"
            },
            {
              "name": "encryptedExtensionsMsg.marshal"
            },
            {
              "name": "endOfEarlyDataMsg.marshal"
            },
            {
              "name": "keyUpdateMsg.marshal"
            },
            {
              "name": "newSessionTicketMsgTLS13.marshal"
            },
            {
              "name": "certificateRequestMsgTLS13.marshal"
            },
            {
              "name": "certificateMsg.marshal"
            },
            {
              "name": "certificateMsgTLS13.marshal"
            },
            {
              "name": "serverKeyExchangeMsg.marshal"
            },
            {
              "name": "certificateStatusMsg.marshal"
            },
            {
              "name": "serverHelloDoneMsg.marshal"
            },
            {
              "name": "clientKeyExchangeMsg.marshal"
            },
            {
              "name": "finishedMsg.marshal"
            },
            {
              "name": "certificateRequestMsg.marshal"
            },
            {
              "name": "certificateVerifyMsg.marshal"
            },
            {
              "name": "newSessionTicketMsg.marshal"
            },
            {
              "name": "helloRequestMsg.marshal"
            },
            {
              "name": "Conn.readClientHello"
            },
            {
              "name": "serverHandshakeState.doResumeHandshake"
            },
            {
              "name": "serverHandshakeState.doFullHandshake"
            },
            {
              "name": "serverHandshakeState.readFinished"
            },
            {
              "name": "serverHandshakeState.sendSessionTicket"
            },
            {
              "name": "serverHandshakeState.sendFinished"
            },
            {
              "name": "serverHandshakeStateTLS13.checkForResumption"
            },
            {
              "name": "serverHandshakeStateTLS13.sendDummyChangeCipherSpec"
            },
            {
              "name": "serverHandshakeStateTLS13.doHelloRetryRequest"
            },
            {
              "name": "serverHandshakeStateTLS13.sendServerParameters"
            },
            {
              "name": "serverHandshakeStateTLS13.sendServerCertificate"
            },
            {
              "name": "serverHandshakeStateTLS13.sendServerFinished"
            },
            {
              "name": "serverHandshakeStateTLS13.sendSessionTickets"
            },
            {
              "name": "serverHandshakeStateTLS13.readClientCertificate"
            },
            {
              "name": "serverHandshakeStateTLS13.readClientFinished"
            },
            {
              "name": "cipherSuiteTLS13.expandLabel"
            },
            {
              "name": "sessionState.marshal"
            },
            {
              "name": "sessionStateTLS13.marshal"
            },
            {
              "name": "Conn.Handshake"
            },
            {
              "name": "Conn.HandshakeContext"
            },
            {
              "name": "Conn.Read"
            },
            {
              "name": "Conn.Write"
            },
            {
              "name": "ConnectionState.ExportKeyingMaterial"
            },
            {
              "name": "Dial"
            },
            {
              "name": "DialWithDialer"
            },
            {
              "name": "Dialer.Dial"
            },
            {
              "name": "Dialer.DialContext"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.19.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.20.1",
              "status": "affected",
              "version": "1.20.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Marten Seemann"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth \u003e= RequestClientCert)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-25T11:09:30.560Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/58001"
        },
        {
          "url": "https://go.dev/cl/468125"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-1570"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        }
      ],
      "title": "Panic on large handshake records in crypto/tls"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2022-41724",
    "datePublished": "2023-02-28T17:19:44.420Z",
    "dateReserved": "2022-09-28T17:00:06.611Z",
    "dateUpdated": "2025-03-07T17:57:05.605Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-24536 (GCVE-0-2023-24536)

Vulnerability from cvelistv5 – Published: 2023-04-06 15:50 – Updated: 2025-02-13 16:44

Title

Excessive resource consumption in net/http, net/textproto and mime/multipart

Summary

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

Go

References

URL

Tags

	https://go.dev/issue/59153
	https://go.dev/cl/482076
	https://go.dev/cl/482075
	https://go.dev/cl/482077
	https://groups.google.com/g/golang-announce/c/Xdv…
	https://pkg.go.dev/vuln/GO-2023-1705
	https://security.netapp.com/advisory/ntap-2023052…
	https://security.gentoo.org/glsa/202311-09

Impacted products

Vendor

Product

Version

Go standard library

Affected: 0 , < 1.19.8 (semver)
Affected: 1.20.0-0 , < 1.20.3 (semver)

Go standard library

Affected: 0 , < 1.19.8 (semver)
Affected: 1.20.0-0 , < 1.20.3 (semver)

Credits

Jakob Ackermann (@das7pad)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:03:17.787Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/59153"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/482076"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/482075"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/482077"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-1705"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230526-0007/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-24536",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-12T17:16:31.233167Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T17:17:32.099Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "mime/multipart",
          "product": "mime/multipart",
          "programRoutines": [
            {
              "name": "Reader.readForm"
            },
            {
              "name": "mimeHeaderSize"
            },
            {
              "name": "newPart"
            },
            {
              "name": "Part.populateHeaders"
            },
            {
              "name": "Reader.NextPart"
            },
            {
              "name": "Reader.NextRawPart"
            },
            {
              "name": "Reader.nextPart"
            },
            {
              "name": "readMIMEHeader"
            },
            {
              "name": "Reader.ReadForm"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.19.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.20.3",
              "status": "affected",
              "version": "1.20.0-0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/textproto",
          "product": "net/textproto",
          "programRoutines": [
            {
              "name": "readMIMEHeader"
            },
            {
              "name": "Reader.ReadMIMEHeader"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.19.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.20.3",
              "status": "affected",
              "version": "1.20.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakob Ackermann (@das7pad)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-25T11:09:50.567Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/59153"
        },
        {
          "url": "https://go.dev/cl/482076"
        },
        {
          "url": "https://go.dev/cl/482075"
        },
        {
          "url": "https://go.dev/cl/482077"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-1705"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230526-0007/"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        }
      ],
      "title": "Excessive resource consumption in net/http, net/textproto and mime/multipart"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2023-24536",
    "datePublished": "2023-04-06T15:50:24.879Z",
    "dateReserved": "2023-01-25T21:19:20.642Z",
    "dateUpdated": "2025-02-13T16:44:18.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-41723 (GCVE-0-2022-41723)

Vulnerability from cvelistv5 – Published: 2023-02-28 17:19 – Updated: 2025-05-05 16:12

Title

Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net

Summary

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE 400: Uncontrolled Resource Consumption

Assigner

Go

References

URL

Tags

	https://go.dev/issue/57855
	https://go.dev/cl/468135
	https://go.dev/cl/468295
	https://groups.google.com/g/golang-announce/c/V0a…
	https://pkg.go.dev/vuln/GO-2023-1571
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://www.couchbase.com/alerts/
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://security.gentoo.org/glsa/202311-09

Impacted products

Vendor

Product

Version

Go standard library

Affected: 0 , < 1.19.6 (semver)
Affected: 1.20.0-0 , < 1.20.1 (semver)

	golang.org/x/net	golang.org/x/net/http2	Affected: 0 , < 0.7.0 (semver)
	golang.org/x/net	golang.org/x/net/http2/hpack	Affected: 0 , < 0.7.0 (semver)

Credits

Philippe Antoine (Catena cyber)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:49:43.617Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20230331-0010/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/57855"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/468135"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/468295"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-1571"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.couchbase.com/alerts/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-41723",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T13:26:37.352634Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "NVD-CWE-Other",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-05T16:12:28.159Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/http",
          "product": "net/http",
          "programRoutines": [
            {
              "name": "Transport.RoundTrip"
            },
            {
              "name": "Server.Serve"
            },
            {
              "name": "Client.Do"
            },
            {
              "name": "Client.Get"
            },
            {
              "name": "Client.Head"
            },
            {
              "name": "Client.Post"
            },
            {
              "name": "Client.PostForm"
            },
            {
              "name": "Get"
            },
            {
              "name": "Head"
            },
            {
              "name": "ListenAndServe"
            },
            {
              "name": "ListenAndServeTLS"
            },
            {
              "name": "Post"
            },
            {
              "name": "PostForm"
            },
            {
              "name": "Serve"
            },
            {
              "name": "ServeTLS"
            },
            {
              "name": "Server.ListenAndServe"
            },
            {
              "name": "Server.ListenAndServeTLS"
            },
            {
              "name": "Server.ServeTLS"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.19.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.20.1",
              "status": "affected",
              "version": "1.20.0-0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/http2",
          "product": "golang.org/x/net/http2",
          "programRoutines": [
            {
              "name": "Transport.RoundTrip"
            },
            {
              "name": "Server.ServeConn"
            },
            {
              "name": "ClientConn.Close"
            },
            {
              "name": "ClientConn.Ping"
            },
            {
              "name": "ClientConn.RoundTrip"
            },
            {
              "name": "ClientConn.Shutdown"
            },
            {
              "name": "ConfigureServer"
            },
            {
              "name": "ConfigureTransport"
            },
            {
              "name": "ConfigureTransports"
            },
            {
              "name": "ConnectionError.Error"
            },
            {
              "name": "ErrCode.String"
            },
            {
              "name": "FrameHeader.String"
            },
            {
              "name": "FrameType.String"
            },
            {
              "name": "FrameWriteRequest.String"
            },
            {
              "name": "Framer.ReadFrame"
            },
            {
              "name": "Framer.WriteContinuation"
            },
            {
              "name": "Framer.WriteData"
            },
            {
              "name": "Framer.WriteDataPadded"
            },
            {
              "name": "Framer.WriteGoAway"
            },
            {
              "name": "Framer.WriteHeaders"
            },
            {
              "name": "Framer.WritePing"
            },
            {
              "name": "Framer.WritePriority"
            },
            {
              "name": "Framer.WritePushPromise"
            },
            {
              "name": "Framer.WriteRSTStream"
            },
            {
              "name": "Framer.WriteRawFrame"
            },
            {
              "name": "Framer.WriteSettings"
            },
            {
              "name": "Framer.WriteSettingsAck"
            },
            {
              "name": "Framer.WriteWindowUpdate"
            },
            {
              "name": "GoAwayError.Error"
            },
            {
              "name": "ReadFrameHeader"
            },
            {
              "name": "Setting.String"
            },
            {
              "name": "SettingID.String"
            },
            {
              "name": "SettingsFrame.ForeachSetting"
            },
            {
              "name": "StreamError.Error"
            },
            {
              "name": "Transport.CloseIdleConnections"
            },
            {
              "name": "Transport.NewClientConn"
            },
            {
              "name": "Transport.RoundTripOpt"
            },
            {
              "name": "bufferedWriter.Flush"
            },
            {
              "name": "bufferedWriter.Write"
            },
            {
              "name": "chunkWriter.Write"
            },
            {
              "name": "clientConnPool.GetClientConn"
            },
            {
              "name": "connError.Error"
            },
            {
              "name": "dataBuffer.Read"
            },
            {
              "name": "duplicatePseudoHeaderError.Error"
            },
            {
              "name": "gzipReader.Close"
            },
            {
              "name": "gzipReader.Read"
            },
            {
              "name": "headerFieldNameError.Error"
            },
            {
              "name": "headerFieldValueError.Error"
            },
            {
              "name": "noDialClientConnPool.GetClientConn"
            },
            {
              "name": "noDialH2RoundTripper.RoundTrip"
            },
            {
              "name": "pipe.Read"
            },
            {
              "name": "priorityWriteScheduler.CloseStream"
            },
            {
              "name": "priorityWriteScheduler.OpenStream"
            },
            {
              "name": "pseudoHeaderError.Error"
            },
            {
              "name": "requestBody.Close"
            },
            {
              "name": "requestBody.Read"
            },
            {
              "name": "responseWriter.Flush"
            },
            {
              "name": "responseWriter.FlushError"
            },
            {
              "name": "responseWriter.Push"
            },
            {
              "name": "responseWriter.SetReadDeadline"
            },
            {
              "name": "responseWriter.SetWriteDeadline"
            },
            {
              "name": "responseWriter.Write"
            },
            {
              "name": "responseWriter.WriteHeader"
            },
            {
              "name": "responseWriter.WriteString"
            },
            {
              "name": "serverConn.CloseConn"
            },
            {
              "name": "serverConn.Flush"
            },
            {
              "name": "stickyErrWriter.Write"
            },
            {
              "name": "transportResponseBody.Close"
            },
            {
              "name": "transportResponseBody.Read"
            },
            {
              "name": "writeData.String"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.7.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/http2/hpack",
          "product": "golang.org/x/net/http2/hpack",
          "programRoutines": [
            {
              "name": "Decoder.parseFieldLiteral"
            },
            {
              "name": "Decoder.readString"
            },
            {
              "name": "Decoder.DecodeFull"
            },
            {
              "name": "Decoder.Write"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.7.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Philippe Antoine (Catena cyber)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE 400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-25T11:09:48.448Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/57855"
        },
        {
          "url": "https://go.dev/cl/468135"
        },
        {
          "url": "https://go.dev/cl/468295"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-1571"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/"
        },
        {
          "url": "https://www.couchbase.com/alerts/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        }
      ],
      "title": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2022-41723",
    "datePublished": "2023-02-28T17:19:45.801Z",
    "dateReserved": "2022-09-28T17:00:06.610Z",
    "dateUpdated": "2025-05-05T16:12:28.159Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-24537 (GCVE-0-2023-24537)

Vulnerability from cvelistv5 – Published: 2023-04-06 15:50 – Updated: 2025-02-13 16:44

Title

Infinite loop in parsing in go/scanner

Summary

Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Assigner

Go

References

URL

Tags

	https://go.dev/issue/59180
	https://go.dev/cl/482078
	https://groups.google.com/g/golang-announce/c/Xdv…
	https://pkg.go.dev/vuln/GO-2023-1702
	https://security.gentoo.org/glsa/202311-09

Impacted products

	Vendor	Product	Version
	Go standard library	go/scanner	Affected: 0 , < 1.19.8 (semver) Affected: 1.20.0-0 , < 1.20.3 (semver)

Credits

Philippe Antoine (Catena cyber)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-11-29T12:04:35.562Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/59180"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/482078"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-1702"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20241129-0004/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-24537",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-12T17:00:19.402169Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "CWE-190 Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T17:01:10.967Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "go/scanner",
          "product": "go/scanner",
          "programRoutines": [
            {
              "name": "Scanner.updateLineInfo"
            },
            {
              "name": "Scanner.Scan"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.19.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.20.3",
              "status": "affected",
              "version": "1.20.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Philippe Antoine (Catena cyber)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-25T11:09:46.845Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/59180"
        },
        {
          "url": "https://go.dev/cl/482078"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-1702"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        }
      ],
      "title": "Infinite loop in parsing in go/scanner"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2023-24537",
    "datePublished": "2023-04-06T15:50:49.556Z",
    "dateReserved": "2023-01-25T21:19:20.642Z",
    "dateUpdated": "2025-02-13T16:44:18.701Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.