CVE-2022-41717 – golang.org/x/net/http2

Package

Manager: go
Name: golang.org/x/net/http2
Vulnerable Version: >=0 <0.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00413 pctl0.60737

Details

golang.org/x/net/http2 vulnerable to possible excessive memory growth An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

Metadata

Created: 2022-12-08T21:30:19Z
Modified: 2024-05-20T21:41:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-xrjj-mj9h-534m/GHSA-xrjj-mj9h-534m.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-xrjj-mj9h-534m
Finding: F067
Auto approve: 1