GHSA-fqh4-rh59-xhvf

Source

https://github.com/advisories/GHSA-fqh4-rh59-xhvf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-fqh4-rh59-xhvf/GHSA-fqh4-rh59-xhvf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fqh4-rh59-xhvf

Aliases

CVE-2021-23351

Published

2021-05-18T21:07:43Z

Modified

2025-01-14T08:57:16.387794Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

github.com/pires/go-proxyproto denial of service vulnerability

Details

The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in the code, a deliberately malformed V1 header could be used to exhaust memory in a server process using this code - and create a DoS. This can be exploited by sending a stream starting with PROXY and continuing to send data (which does not contain a newline) until the target stops acknowledging. The risk here is small, because only trusted sources should be allowed to send proxy protocol headers.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-18T21:03:39Z"
}

References

Affected packages

Go / github.com/pires/go-proxyproto

Package

Name: github.com/pires/go-proxyproto; View open source insights on deps.dev
Purl: pkg:golang/github.com/pires/go-proxyproto

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.5.0