CVE-2023-45288Uncontrolled Resource Consumption in Standard Library NET Http

CWE-400Uncontrolled Resource Consumption18 documents9 sources
Severity
7.5HIGHNVD
EPSS
71.5%
top 1.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
GO Standard Library NET HttpGolang.org X NET Golang.org X NET Http2Github.com Traefik Traefik V2+5 more
Timeline
PublishedApr 4
Latest updateNov 14

Description

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request wh

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

Gonet/http1.22.0-01.22.2+1
CVEListV5go_standard_library/net_http1.22.0-01.22.2+1
Gogolang.org/x_net< 0.23.0

🔴Vulnerability Details

10
OSV
ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http2024-07-15
GHSA
ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http2024-07-15
OSV
golang-1.21, golang-1.22 vulnerabilities2024-07-09
GHSA
Traefik affected by HTTP/2 CONTINUATION flood in net/http2024-04-15
OSV
Traefik affected by HTTP/2 CONTINUATION flood in net/http2024-04-15

📋Vendor Advisories

7
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-11-14
Oracle
Oracle Oracle Blockchain Platform Risk Matrix: Blockchain Cloud Service Console (Golang Go) — CVE-2023-452882024-10-15
Ubuntu
Go vulnerabilities2024-07-09
Microsoft
HTTP/2 CONTINUATION flood in net/http2024-04-09
CVE-2023-45288 — Uncontrolled Resource Consumption | cvebase