Skip to content

Commit

Permalink
data/reports: add GO-2022-1144.yaml
Browse files Browse the repository at this point in the history 
Aliases: CVE-2022-41717

Updates #1144

Change-Id: I7ac8c7020a91486cea5dbf5895f7566b6cd94919
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/456057
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
  • Loading branch information
@tatianab
tatianab authored and Tatiana Bradley committed Dec 8, 2022
1 parent aad2780 commit 92d9286
Show file tree
Hide file tree
Showing 3 changed files with 294 additions and 0 deletions.
131 changes: 131 additions & 0 deletions data/cve/v5/GO-2022-1144.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.0",
"cveMetadata": {
"cveId": "CVE-2022-41717"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
},
"descriptions": [
{
"lang": "en",
"value": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection."
}
],
"affected": [
{
"vendor": "Go standard library",
"product": "net/http",
"collectionURL": "https://pkg.go.dev",
"packageName": "net/http",
"versions": [
{
"version": "0",
"lessThan": "1.18.9",
"status": "affected",
"versionType": "semver"
},
{
"version": "1.19.0",
"lessThan": "1.19.4",
"status": "affected",
"versionType": "semver"
}
],
"programRoutines": [
{
"name": "http2serverConn.canonicalHeader"
},
{
"name": "ListenAndServe"
},
{
"name": "ListenAndServeTLS"
},
{
"name": "Serve"
},
{
"name": "ServeTLS"
},
{
"name": "Server.ListenAndServe"
},
{
"name": "Server.ListenAndServeTLS"
},
{
"name": "Server.Serve"
},
{
"name": "Server.ServeTLS"
},
{
"name": "http2Server.ServeConn"
}
],
"defaultStatus": "unaffected"
},
{
"vendor": "golang.org/x/net",
"product": "golang.org/x/net/http2",
"collectionURL": "https://pkg.go.dev",
"packageName": "golang.org/x/net/http2",
"versions": [
{
"version": "0",
"lessThan": "0.4.0",
"status": "affected",
"versionType": "semver"
}
],
"programRoutines": [
{
"name": "serverConn.canonicalHeader"
},
{
"name": "Server.ServeConn"
}
],
"defaultStatus": "unaffected"
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE 400: Uncontrolled Resource Consumption"
}
]
}
],
"references": [
{
"url": "https://go.dev/issue/56350"
},
{
"url": "https://go.dev/cl/455717"
},
{
"url": "https://go.dev/cl/455635"
},
{
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"credits": [
{
"lang": "en",
"value": "Josselin Costanzi"
}
]
}
}
}
115 changes: 115 additions & 0 deletions data/osv/GO-2022-1144.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
{
"schema_version": "1.3.1",
"id": "GO-2022-1144",
"published": "0001-01-01T00:00:00Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2022-41717"
],
"details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.9"
},
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.4"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
},
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"ListenAndServe",
"ListenAndServeTLS",
"Serve",
"ServeTLS",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.Serve",
"Server.ServeTLS",
"http2Server.ServeConn",
"http2serverConn.canonicalHeader"
]
}
]
}
},
{
"package": {
"name": "golang.org/x/net",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.0"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
},
"ecosystem_specific": {
"imports": [
{
"path": "golang.org/x/net/http2",
"symbols": [
"Server.ServeConn",
"serverConn.canonicalHeader"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/56350"
},
{
"type": "FIX",
"url": "https://go.dev/cl/455717"
},
{
"type": "FIX",
"url": "https://go.dev/cl/455635"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
}
],
"credits": [
{
"name": "Josselin Costanzi"
}
]
}
48 changes: 48 additions & 0 deletions data/reports/GO-2022-1144.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
modules:
- module: std
versions:
- fixed: 1.18.9
- introduced: 1.19.0
fixed: 1.19.4
vulnerable_at: 1.19.3
packages:
- package: net/http
symbols:
- http2serverConn.canonicalHeader
derived_symbols:
- ListenAndServe
- ListenAndServeTLS
- Serve
- ServeTLS
- Server.ListenAndServe
- Server.ListenAndServeTLS
- Server.Serve
- Server.ServeTLS
- http2Server.ServeConn
- module: golang.org/x/net
versions:
- fixed: 0.4.0
vulnerable_at: 0.3.0
packages:
- package: golang.org/x/net/http2
symbols:
- serverConn.canonicalHeader
derived_symbols:
- Server.ServeConn
description: |
An attacker can cause excessive memory growth in a Go server accepting
HTTP/2 requests.
HTTP/2 server connections contain a cache of HTTP header keys sent by the
client. While the total number of entries in this cache is capped, an
attacker sending very large keys can cause the server to allocate
approximately 64 MiB per open connection.
credit: Josselin Costanzi
references:
- report: https://go.dev/issue/56350
- fix: https://go.dev/cl/455717
- fix: https://go.dev/cl/455635
- web: https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
cve_metadata:
id: CVE-2022-41717
cwe: 'CWE 400: Uncontrolled Resource Consumption'

0 comments on commit 92d9286

Please sign in to comment.