CVE-2022-41717

Name
CVE-2022-41717
Description
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
MISC https://pkg.go.dev/vuln/GO-2022-1144
MISC https://go.dev/cl/455717
MISC https://go.dev/issue/56350
MISC https://go.dev/cl/455635
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/
security@golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/
security@golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB/
security@golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/
security@golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/
security@golang.org https://security.gentoo.org/glsa/202311-09
security@golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/
security@golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/
security@golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/
security@golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= 1.19.0 < 1.19.4
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= None < 1.18.9
cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:* http2 >= None < 0.4.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
minio-client edge-community 0.20230111.031416-r0 None fixed
minio-client 3.22-community 0.20230111.031416-r0 None fixed
minio-client 3.21-community 0.20230111.031416-r0 None fixed
minio-client 3.20-community 0.20230111.031416-r0 None fixed
minio-client 3.19-community 0.20230111.031416-r0 None fixed
minio-client 3.18-community 0.20230111.031416-r0 None fixed
go edge-community 1.9.4-r0 None fixed
go edge-community 1.19.4-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed
go edge-community 1.19.3-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed
go edge-community 1.19.2-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed
go edge-community 1.19.1-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed
go edge-community 1.18.5-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed
go edge-community 1.18.4-r0 None fixed
go edge-community 1.18.1-r0 None fixed
go edge-community 1.17.8-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
go edge-community 1.17.7-r0 None fixed
go edge-community 1.17.6-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
go edge-community 1.17.3-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
go edge-community 1.17.2-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
go edge-community 1.17.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
go edge-community 1.17-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
go edge-community 1.16.7-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
go edge-community 1.16.6-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
go edge-community 1.16.5-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
go edge-community 1.16.4-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
go edge-community 1.16.2-r0 None fixed
go edge-community 1.15.7-r0 None fixed
go edge-community 1.15.5-r0 None fixed
go edge-community 1.15.2-r0 None fixed
go edge-community 1.15-r0 None fixed
go edge-community 1.14.5-r0 None fixed
go edge-community 1.13.7-r0 None fixed
go edge-community 1.13.2-r0 None fixed
go edge-community 1.13.1-r0 None fixed
go edge-community 1.12.8-r0 None fixed
go edge-community 1.11.5-r0 None fixed
go edge-community 0 None possibly vulnerable
go 3.22-community 1.9.4-r0 None fixed
go 3.22-community 1.19.4-r0 None fixed
go 3.22-community 1.19.2-r0 None fixed
go 3.22-community 1.19.1-r0 None fixed
go 3.22-community 1.18.5-r0 None fixed
go 3.22-community 1.18.4-r0 None fixed
go 3.22-community 1.18.1-r0 None fixed
go 3.22-community 1.17.8-r0 None fixed
go 3.22-community 1.17.7-r0 None fixed
go 3.22-community 1.17.6-r0 None fixed
go 3.22-community 1.17.3-r0 None fixed
go 3.22-community 1.17.2-r0 None fixed
go 3.22-community 1.17.1-r0 None fixed
go 3.22-community 1.17-r0 None fixed
go 3.22-community 1.16.7-r0 None fixed
go 3.22-community 1.16.6-r0 None fixed
go 3.22-community 1.16.5-r0 None fixed
go 3.22-community 1.16.4-r0 None fixed
go 3.22-community 1.16.2-r0 None fixed
go 3.22-community 1.15.7-r0 None fixed
go 3.22-community 1.15.5-r0 None fixed
go 3.22-community 1.15.2-r0 None fixed
go 3.22-community 1.15-r0 None fixed
go 3.22-community 1.14.5-r0 None fixed
go 3.22-community 1.13.7-r0 None fixed
go 3.22-community 1.13.2-r0 None fixed
go 3.22-community 1.13.1-r0 None fixed
go 3.22-community 1.12.8-r0 None fixed
go 3.22-community 1.11.5-r0 None fixed
go 3.22-community 0 None possibly vulnerable
go 3.21-community 1.19.4-r0 None fixed
go 3.20-community 1.19.4-r0 None fixed
go 3.19-community 1.19.4-r0 None fixed
go 3.18-community 1.19.4-r0 None fixed
go 3.17-community 1.19.4-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed