Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in net/http, net/textproto: CVE-2023-24534 #1704

Closed
tatianab opened this issue Apr 5, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in net/http, net/textproto: CVE-2023-24534 #1704

tatianab opened this issue Apr 5, 2023 · 1 comment
Assignees
@tatianab
Labels
stdlib

Comments

@tatianab
Copy link
Contributor

tatianab commented Apr 5, 2023

CVE ID

CVE-2023-24534

GHSA ID

No response

Additional information

net/http, net/textproto: denial of service from excessive memory allocation

HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs.

Certain unusual patterns of input data could cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service.

Header parsing now correctly allocates only the memory required to hold parsed headers.

Thanks to Jakob Ackermann (@das7pad) for discovering this issue.

This is CVE-2023-24534 and Go issue https://go.dev/issue/58975.

https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
@tatianab tatianab added the stdlib label Apr 5, 2023
@tatianab tatianab self-assigned this Apr 5, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/482619 mentions this issue: data/reports: add GO-2023-1704.yaml

gopherbot pushed a commit that referenced this issue Apr 5, 2023
@tatianab
data/reports: add GO-2023-1704.yaml
5a51930 
Aliases: CVE-2023-24534

Updates #1704

Change-Id: If292486de476c975a01116a98c9af63935135830
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/482619
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
@tatianab tatianab closed this as completed Apr 6, 2023
@timothy-king timothy-king mentioned this issue Apr 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
stdlib
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @gopherbot