pkg:golang/golang.org/x/net@0.17.0
Allocation of Resources Without Limits or Throttling
| Affected range | <0.33.0 |
| Fixed version | 0.33.0 |
| CVSS Score | 8.7 |
| CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| EPSS Score | 0.045% |
| EPSS Percentile | 18th percentile |
Description
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Uncontrolled Resource Consumption
| Affected range | <0.23.0 |
| Fixed version | 0.23.0 |
| CVSS Score | 5.3 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| EPSS Score | 0.044% |
| EPSS Percentile | 15th percentile |
Description
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
golang.org/x/net 
