CVE-2022-41717

Name
CVE-2022-41717
Description
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
MISC https://pkg.go.dev/vuln/GO-2022-1144
MISC https://go.dev/cl/455717
MISC https://go.dev/issue/56350
MISC https://go.dev/cl/455635

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= 1.19.0 < 1.19.4
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= None < 1.18.9
cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:* http2 >= None < 0.4.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status