CVE-2022-41717Allocation of Resources Without Limits or Throttling in Standard Library NET Http

CWE-770Allocation of Resources Without Limits or Throttling12 documents8 sources
Severity
5.3MEDIUMNVD
EPSS
0.3%
top 43.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
GO Standard Library NET HttpGolang.org X NET Golang.org X NET Http2Golang.org X NET+4 more
Timeline
PublishedDec 8
Latest updateJan 9

Description

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages6 packages

NVDgolang/http2< 0.4.0
CVEListV5go_standard_library/net_http1.19.0-01.19.4+1
NVDgolang/go1.19.01.19.4+1

Also affects: Fedora 37, 38

Patches

Patch: go.devPatch: go.devPatch: go.dev

🔴Vulnerability Details

6
OSV
golang-1.18 vulnerabilities2023-04-25
CVEList
Excessive memory growth in net/http and golang.org/x/net/http22022-12-08
GHSA
golang.org/x/net/http2 vulnerable to possible excessive memory growth2022-12-08
OSV
golang.org/x/net/http2 vulnerable to possible excessive memory growth2022-12-08
OSV
Excessive memory growth in net/http and golang.org/x/net/http22022-12-08

📋Vendor Advisories

5
Ubuntu
Go vulnerabilities2024-01-09
Ubuntu
Go vulnerabilities2023-04-25
Microsoft
Excessive memory growth in net/http and golang.org/x/net/http22022-12-13
Red Hat
golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests2022-11-30
Debian
CVE-2022-41717: golang-1.15 - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 re...2022
CVE-2022-41717 — MEDIUM severity | cvebase