CVE-2023-24534

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://go.dev/cl/481994	Patch Vendor Advisory
https://go.dev/issue/58975	Issue Tracking Vendor Advisory
https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8	Mailing List Patch
https://pkg.go.dev/vuln/GO-2023-1704	Vendor Advisory
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20230526-0007/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

History

25 Nov 2023, 11:15

Type	Values Removed	Values Added
References		() https://security.gentoo.org/glsa/202311-09 -

26 May 2023, 20:15

Type	Values Removed	Values Added
References		(MISC) https://security.netapp.com/advisory/ntap-20230526-0007/ -

Information

Published : 2023-04-06 16:15

Updated : 2024-02-28 20:13

NVD link : CVE-2023-24534

Mitre link : CVE-2023-24534

CVE.ORG link : CVE-2023-24534

JSON object : View

Products Affected

golang

go

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2023-24534", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-04-06T16:15:07.657", "references": [{"url": "https://go.dev/cl/481994", "tags": ["Patch", "Vendor Advisory"], "source": "security@golang.org"}, {"url": "https://go.dev/issue/58975", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "security@golang.org"}, {"url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8", "tags": ["Mailing List", "Patch"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2023-1704", "tags": ["Vendor Advisory"], "source": "security@golang.org"}, {"url": "https://security.gentoo.org/glsa/202311-09", "source": "security@golang.org"}, {"url": "https://security.netapp.com/advisory/ntap-20230526-0007/", "source": "security@golang.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers."}], "lastModified": "2023-11-25T11:15:14.030", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5932E25E-7F00-4D6E-AFF8-4C5797AE628B", "versionEndExcluding": "1.19.8"}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66CADC8B-8F8A-493C-8819-852F0AE224AC", "versionEndExcluding": "1.20.3", "versionStartIncluding": "1.20.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}