CVE-2023-39326 — Uncontrolled Resource Consumption in Standard Library NET Http Internal
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 68.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 6
Latest updateJan 11
Description
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the ch…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages2 packages
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-9f76-wg39-x86h: A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network↗2023-12-06
OSV▶
CVE-2023-39326: A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network↗2023-12-06