Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in net/http: CVE-2022-41723 #1571

Closed
tatianab opened this issue Feb 15, 2023 · 3 comments
Closed

x/vulndb: potential Go vuln in net/http: CVE-2022-41723 #1571

tatianab opened this issue Feb 15, 2023 · 3 comments
Assignees
@tatianab
Labels
stdlib

Comments

@tatianab
Copy link
Contributor

CVE ID

No response

GHSA ID

No response

Additional information

net/http: avoid quadratic complexity in HPACK decoding

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually configuring HTTP/2.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.
@tatianab tatianab self-assigned this Feb 15, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/468900 mentions this issue: data/reports: add GO-2023-1571.yaml

gopherbot pushed a commit that referenced this issue Feb 16, 2023
@tatianab
data/reports: add GO-2023-1571.yaml
bbfff9b 
Aliases: CVE-2022-41723

Updates #1571

Change-Id: Iec81cb886f5e67d37f5b484f59e257431bde4690
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/468900
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
@GoVulnBot GoVulnBot mentioned this issue Feb 17, 2023
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/470375 mentions this issue: data/reports: add GHSAs for GO-2023-1571, GO-2023-1572

gopherbot pushed a commit that referenced this issue Feb 22, 2023
@neild @gopherbot
data/reports: add GHSAs for GO-2023-1571, GO-2023-1572
5e75194 
For #1571
For #1572

Change-Id: I5400ea718f2a173361c5c8cbd91d32862d16644f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/470375
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Auto-Submit: Damien Neil <dneil@google.com>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/483195 mentions this issue: data/reports: update GO-2023-1571.yaml

gopherbot pushed a commit that referenced this issue Apr 11, 2023
@tatianab @gopherbot
data/reports: update GO-2023-1571.yaml
a0861d9 
Add more specific symbol data.

Aliases: CVE-2022-41723, GHSA-vvpx-j8f3-3w6h

Updates #1571

Change-Id: I8d0641c8a949fde289766c3563d868c276296844
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/483195
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
This was referenced Oct 11, 2023
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Dec 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
stdlib
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @gopherbot