CVE-2023-24534

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

History

25 Nov 2023, 11:15

Type Values Removed Values Added
References
  • () https://security.gentoo.org/glsa/202311-09 -

26 May 2023, 20:15

Type Values Removed Values Added
References
  • (MISC) https://security.netapp.com/advisory/ntap-20230526-0007/ -

18 Apr 2023, 17:38

Type Values Removed Values Added
CPE cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
First Time Golang go
Golang
CWE CWE-400
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
References (MISC) https://pkg.go.dev/vuln/GO-2023-1704 - (MISC) https://pkg.go.dev/vuln/GO-2023-1704 - Vendor Advisory
References (MISC) https://go.dev/cl/481994 - (MISC) https://go.dev/cl/481994 - Patch, Vendor Advisory
References (MISC) https://go.dev/issue/58975 - (MISC) https://go.dev/issue/58975 - Issue Tracking, Vendor Advisory
References (MISC) https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 - (MISC) https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 - Mailing List, Patch

06 Apr 2023, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-04-06 16:15

Updated : 2023-12-10 15:01


NVD link : CVE-2023-24534

Mitre link : CVE-2023-24534

CVE.ORG link : CVE-2023-24534


JSON object : View

Products Affected

golang

  • go
CWE
CWE-400

Uncontrolled Resource Consumption