GO-2023-1571

Source
https://pkg.go.dev/vuln/GO-2023-1571
Import Source
https://vuln.go.dev/ID/GO-2023-1571.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2023-1571
Aliases
Related
Published
2023-02-16T22:31:36Z
Modified
2024-05-20T16:03:47Z
Summary
Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
Details

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-1571"
}
References
Credits
    • Philippe Antoine (Catena cyber)

Affected packages

Go / stdlib

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.19.6
Introduced
1.20.0-0
Fixed
1.20.1

Ecosystem specific

{
    "imports": [
        {
            "path": "net/http",
            "symbols": [
                "Client.Do",
                "Client.Get",
                "Client.Head",
                "Client.Post",
                "Client.PostForm",
                "Get",
                "Head",
                "ListenAndServe",
                "ListenAndServeTLS",
                "Post",
                "PostForm",
                "Serve",
                "ServeTLS",
                "Server.ListenAndServe",
                "Server.ListenAndServeTLS",
                "Server.Serve",
                "Server.ServeTLS",
                "Transport.RoundTrip"
            ]
        }
    ]
}

Go / golang.org/x/net

Package

Name
golang.org/x/net
View open source insights on deps.dev
Purl
pkg:golang/golang.org/x/net

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.7.0

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/net/http2",
            "symbols": [
                "ClientConn.Close",
                "ClientConn.Ping",
                "ClientConn.RoundTrip",
                "ClientConn.Shutdown",
                "ConfigureServer",
                "ConfigureTransport",
                "ConfigureTransports",
                "ConnectionError.Error",
                "ErrCode.String",
                "FrameHeader.String",
                "FrameType.String",
                "FrameWriteRequest.String",
                "Framer.ReadFrame",
                "Framer.WriteContinuation",
                "Framer.WriteData",
                "Framer.WriteDataPadded",
                "Framer.WriteGoAway",
                "Framer.WriteHeaders",
                "Framer.WritePing",
                "Framer.WritePriority",
                "Framer.WritePushPromise",
                "Framer.WriteRSTStream",
                "Framer.WriteRawFrame",
                "Framer.WriteSettings",
                "Framer.WriteSettingsAck",
                "Framer.WriteWindowUpdate",
                "GoAwayError.Error",
                "ReadFrameHeader",
                "Server.ServeConn",
                "Setting.String",
                "SettingID.String",
                "SettingsFrame.ForeachSetting",
                "StreamError.Error",
                "Transport.CloseIdleConnections",
                "Transport.NewClientConn",
                "Transport.RoundTrip",
                "Transport.RoundTripOpt",
                "bufferedWriter.Flush",
                "bufferedWriter.Write",
                "chunkWriter.Write",
                "clientConnPool.GetClientConn",
                "connError.Error",
                "dataBuffer.Read",
                "duplicatePseudoHeaderError.Error",
                "gzipReader.Close",
                "gzipReader.Read",
                "headerFieldNameError.Error",
                "headerFieldValueError.Error",
                "noDialClientConnPool.GetClientConn",
                "noDialH2RoundTripper.RoundTrip",
                "pipe.Read",
                "priorityWriteScheduler.CloseStream",
                "priorityWriteScheduler.OpenStream",
                "pseudoHeaderError.Error",
                "requestBody.Close",
                "requestBody.Read",
                "responseWriter.Flush",
                "responseWriter.FlushError",
                "responseWriter.Push",
                "responseWriter.SetReadDeadline",
                "responseWriter.SetWriteDeadline",
                "responseWriter.Write",
                "responseWriter.WriteHeader",
                "responseWriter.WriteString",
                "serverConn.CloseConn",
                "serverConn.Flush",
                "stickyErrWriter.Write",
                "transportResponseBody.Close",
                "transportResponseBody.Read",
                "writeData.String"
            ]
        },
        {
            "path": "golang.org/x/net/http2/hpack",
            "symbols": [
                "Decoder.DecodeFull",
                "Decoder.Write",
                "Decoder.parseFieldLiteral",
                "Decoder.readString"
            ]
        }
    ]
}