cbcvebase.
CVE-2022-41717
published 2022-12-08

CVE-2022-41717: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by…

PriorityP433medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
5.62%
92.0th percentile
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

Affected

40 ranges· showing 25
VendorProductVersion rangeFixed in
debiangolang-1.15< golang-1.19 1.19.4-1 (bookworm)golang-1.19 1.19.4-1 (bookworm)
debiangolang-1.19< golang-1.19 1.19.4-1 (bookworm)golang-1.19 1.19.4-1 (bookworm)
debiangolang-golang-x-net< golang-1.19 1.19.4-1 (bookworm)golang-1.19 1.19.4-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
go_standard_librarynet_http< 1.18.91.18.9
go_standard_librarynet_http>= 1.19.0-0 < 1.19.41.19.4
golang.orgx_net>= 0 < 0.4.00.4.0
golang.orgx_net_golang.org_x_net_http2< 0.4.00.4.0
golang.orgx_net_http2>= 0 < 0.4.00.4.0
golanggo< 1.18.91.18.9
golanggo>= 1.19.0 < 1.19.41.19.4
golanghttp2< 0.4.00.4.0
msrcazl3_gcc_13.2.0-7
msrcazl3_golang_1.17.13-2_1.18.8-2_1.21.6-1
msrcazl3_golang_1.24.3-1
msrcazl3_moby-engine_20.10.25-3
msrcazl3_moby-engine_25.0.3-1
msrcazl3_prometheus_2.37.0-11
msrcazl3_prometheus_2.45.4-1
msrcazl3_python-tensorboard_2.16.2-6
msrcazl3_sriov-network-device-plugin_3.5.1-3
msrcazl3_sriov-network-device-plugin_3.7.0-1
msrcazl3_tensorflow_2.16.1-9
msrcazure_linux_3.0_arm

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv6.5MEDIUM
vendor_ubuntu6.5MEDIUM
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.