CVE-2021-31525

CVE-2021-31525

Name

CVE-2021-31525

Description

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/golang/go/issues/45710
MISC	https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ISRZZ6NY5R2TBYE72KZFOCO25TEUQTBF/

Type

URI

MISC

https://github.com/golang/go/issues/45710

MISC

https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ISRZZ6NY5R2TBYE72KZFOCO25TEUQTBF/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:golang:go::::::::`	go	>= None	< 1.15.12
`cpe:2.3:a:golang:go::::::::`	go	>= 1.16.0	< 1.16.4

CPE URI

Source package

Min version

Max version

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

>= None

< 1.15.12

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

>= 1.16.0

< 1.16.4

Source package	Branch	Version	Maintainer	Status
go	3.13-community	1.15.12-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

3.13-community

1.15.12-r0

Natanael Copa <ncopa@alpinelinux.org>

fixed

References

Match rules

Vulnerable and fixed packages