x/vulndb: potential Go vuln in golang.org/x/net: GHSA-w32m-9786-jp63

[GoVulnBot]

Advisory GHSA-w32m-9786-jp63 references a vulnerability in the following Go modules:

Module
golang.org/x/net

Description:
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

References:

• ADVISORY: GHSA-w32m-9786-jp63
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-45338
• FIX: https://go.dev/cl/637536
• REPORT: https://go.dev/issue/70906
• REPORT: https://go.dev/issue/70906
• WEB: https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ

Cross references:

• golang.org/x/net appears in 16 other report(s):
  • data/reports/GO-2020-0014.yaml (dummy issue #14)
  • data/reports/GO-2021-0078.yaml (dummy issue #78)
  • data/reports/GO-2021-0238.yaml (x/vulndb: potential Go vuln in Go Standard Library (package not identified): CVE-2021-33194 #238)
  • data/reports/GO-2022-0192.yaml (x/vulndb: potential Go vuln in golang.org/x/net: CVE-2018-17142 #192)
  • data/reports/GO-2022-0193.yaml (x/vulndb: potential Go vuln in golang.org/x/net: CVE-2018-17143 #193)
  • data/reports/GO-2022-0197.yaml (x/vulndb: potential Go vuln in "Go Standard Library (package not identified)": CVE-2018-17847 #197)
  • data/reports/GO-2022-0236.yaml (x/vulndb: potential Go vuln in Go Standard Library (package not identified): CVE-2021-31525 #236)
  • data/reports/GO-2022-0288.yaml (x/vulndb: potential Go vuln in std: CVE-2021-44716 #288)
  • data/reports/GO-2022-0536.yaml (x/vulndb: potential Go vuln in std: CVE-2019-9512, CVE-2019-9514 #536)
  • data/reports/GO-2022-0969.yaml (x/vulndb: potential Go vuln in std: CVE-2022-27664 #969)
  • data/reports/GO-2022-1144.yaml (x/vulndb: potential Go vuln in std: CVE-2022-41717 #1144)
  • data/reports/GO-2023-1495.yaml (x/vulndb: potential Go vuln in golang.org/x/net/http2/h2c: CVE-2022-41721 #1495)
  • data/reports/GO-2023-1571.yaml (x/vulndb: potential Go vuln in net/http: CVE-2022-41723 #1571)
  • data/reports/GO-2023-1988.yaml (x/vulndb: potential Go vuln in golang.org/x/net/html: CVE-2023-3978 #1988)
  • data/reports/GO-2023-2102.yaml (x/vulndb: potential Go vuln in net/http: CVE-2023-39325 #2102)
  • data/reports/GO-2024-2687.yaml (x/vulndb: potential Go vuln in net/http: CVE-2023-45288 #2687)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: golang.org/x/net
      versions:
        - fixed: 0.33.0
      vulnerable_at: 0.32.0
summary: Non-linear parsing of case-insensitive content in golang.org/x/net/html in golang.org/x/net
cves:
    - CVE-2024-45338
ghsas:
    - GHSA-w32m-9786-jp63
references:
    - advisory: https://github.com/advisories/GHSA-w32m-9786-jp63
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45338
    - fix: https://go.dev/cl/637536
    - report: https://go.dev/issue/70906
    - report: https://go.dev/issue/70906
    - web: https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ
source:
    id: GHSA-w32m-9786-jp63
    created: 2024-12-18T22:01:18.168343528Z
review_status: UNREVIEWED

[tatianab]

Duplicate of #3333