CVE-2021-23409 – github.com/pires/go-proxyproto

Package

Manager: go
Name: github.com/pires/go-proxyproto
Vulnerable Version: >=0 <0.6.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00911 pctl0.74942

Details

github.com/pires/go-proxyproto vulnerable to DoS via Connection descriptor exhaustion The package `github.com/pires/go-proxyproto` before 0.6.1 is vulnerable to Denial of Service (DoS) via creating connections without the proxy protocol header. While this issue was patched in 0.6.0, the fix introduced additional issues which were subsequently patched in 0.6.1.

Metadata

Created: 2021-07-26T21:23:49Z
Modified: 2023-08-30T18:51:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-xcf7-q56x-78gh/GHSA-xcf7-q56x-78gh.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-xcf7-q56x-78gh
Finding: F002
Auto approve: 1