Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in std: CVE-2022-41717 #1144

Closed
tatianab opened this issue Dec 6, 2022 · 3 comments
Closed

x/vulndb: potential Go vuln in std: CVE-2022-41717 #1144

tatianab opened this issue Dec 6, 2022 · 3 comments
Assignees
@tatianab
Labels
stdlib

Comments

@tatianab
Copy link
Contributor

tatianab commented Dec 6, 2022

CVE ID

CVE-2022-41717

GHSA ID

No response

Additional information

net/http: limit canonical header cache by bytes, not entries

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.

HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

This issue is also fixed in golang.org/x/net/http2 v0.3.0, for users manually configuring HTTP/2.

Thanks to Josselin Costanzi for reporting this issue.

This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.

https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
@tatianab tatianab self-assigned this Dec 6, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/456057 mentions this issue: data/reports: add GO-2022-1144.yaml

gopherbot pushed a commit that referenced this issue Dec 8, 2022
@tatianab
data/reports: add GO-2022-1144.yaml
92d9286 
Aliases: CVE-2022-41717

Updates #1144

Change-Id: I7ac8c7020a91486cea5dbf5895f7566b6cd94919
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/456057
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
@tatianab
Copy link
Contributor Author

tatianab commented Dec 8, 2022

CVE published: https://www.cve.org/CVERecord?id=CVE-2022-41717

@tatianab tatianab closed this as completed Dec 8, 2022
@GoVulnBot GoVulnBot mentioned this issue Jan 18, 2023
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/464317 mentions this issue: data/reports: add missing alias to GO-2022-1144.yaml

gopherbot pushed a commit that referenced this issue Jan 31, 2023
@julieqiu @gopherbot
data/reports: add missing alias to GO-2022-1144.yaml
c9eaa27 
Aliases: CVE-2022-41717, GHSA-xrjj-mj9h-534m

Updates #1144
Fixes #1501

Change-Id: Ib2313bdf9ae45f2f138fcc637392606a60be5759
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464317
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Auto-Submit: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Julie Qiu <julieqiu@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
@GoVulnBot GoVulnBot mentioned this issue Feb 17, 2023
Closed
This was referenced Oct 11, 2023
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Dec 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
stdlib
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @gopherbot