CVE-2022-41723

Name
CVE-2022-41723
Description
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://go.dev/cl/468135
MISC https://go.dev/issue/57855
MISC https://go.dev/cl/468295
MISC https://pkg.go.dev/vuln/GO-2023-1571
MISC https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/
https://www.couchbase.com/alerts/
security@golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/
security@golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/
security@golang.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/
security@golang.org https://security.gentoo.org/glsa/202311-09
af854a3a-2127-422b-91ae-364da2661108 https://security.netapp.com/advisory/ntap-20230331-0010/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= None < 1.19.6
cpe:2.3:a:golang:go:1.20.0:-:*:*:*:*:*:* go == None == 1.20.0
cpe:2.3:a:golang:http2:*:*:*:*:*:go:*:* http2 >= None < 0.7.0
cpe:2.3:a:golang:hpack:*:*:*:*:*:go:*:* hpack >= None < 0.7.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
podman edge-community 4.4.3-r0 Michał Polański <michal@polanski.me> fixed
podman 3.22-community 4.4.3-r0 None fixed
podman 3.21-community 4.4.3-r0 None fixed
podman 3.20-community 4.4.3-r0 None fixed
podman 3.19-community 4.4.3-r0 None fixed
podman 3.18-community 4.4.3-r0 None fixed
go edge-community 1.20.1-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed
go edge-community 1.19.5-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.19.4-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.19.3-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.19.2-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.19.1-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.18.5-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.18.4-r0 None possibly vulnerable
go edge-community 1.18.1-r0 None possibly vulnerable
go edge-community 1.17.8-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.17.7-r0 None possibly vulnerable
go edge-community 1.17.6-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.17.3-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.17.2-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.17.1-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.17-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.16.7-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.16.6-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.16.5-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.16.4-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.16.2-r0 None possibly vulnerable
go edge-community 1.15.7-r0 None possibly vulnerable
go edge-community 1.15.5-r0 None possibly vulnerable
go edge-community 1.15.2-r0 None possibly vulnerable
go edge-community 1.15-r0 None possibly vulnerable
go edge-community 1.14.5-r0 None possibly vulnerable
go edge-community 1.13.7-r0 None possibly vulnerable
go edge-community 1.13.2-r0 None possibly vulnerable
go edge-community 1.13.1-r0 None possibly vulnerable
go edge-community 1.12.8-r0 None possibly vulnerable
go edge-community 1.11.5-r0 None possibly vulnerable
go edge-community 1.9.4-r0 None possibly vulnerable
go 3.22-community 1.20.1-r0 None fixed
go 3.22-community 1.19.4-r0 None possibly vulnerable
go 3.22-community 1.19.2-r0 None possibly vulnerable
go 3.22-community 1.19.1-r0 None possibly vulnerable
go 3.22-community 1.18.5-r0 None possibly vulnerable
go 3.22-community 1.18.4-r0 None possibly vulnerable
go 3.22-community 1.18.1-r0 None possibly vulnerable
go 3.22-community 1.17.8-r0 None possibly vulnerable
go 3.22-community 1.17.7-r0 None possibly vulnerable
go 3.22-community 1.17.6-r0 None possibly vulnerable
go 3.22-community 1.17.3-r0 None possibly vulnerable
go 3.22-community 1.17.2-r0 None possibly vulnerable
go 3.22-community 1.17.1-r0 None possibly vulnerable
go 3.22-community 1.17-r0 None possibly vulnerable
go 3.22-community 1.16.7-r0 None possibly vulnerable
go 3.22-community 1.16.6-r0 None possibly vulnerable
go 3.22-community 1.16.5-r0 None possibly vulnerable
go 3.22-community 1.16.4-r0 None possibly vulnerable
go 3.22-community 1.16.2-r0 None possibly vulnerable
go 3.22-community 1.15.7-r0 None possibly vulnerable
go 3.22-community 1.15.5-r0 None possibly vulnerable
go 3.22-community 1.15.2-r0 None possibly vulnerable
go 3.22-community 1.15-r0 None possibly vulnerable
go 3.22-community 1.14.5-r0 None possibly vulnerable
go 3.22-community 1.13.7-r0 None possibly vulnerable
go 3.22-community 1.13.2-r0 None possibly vulnerable
go 3.22-community 1.13.1-r0 None possibly vulnerable
go 3.22-community 1.12.8-r0 None possibly vulnerable
go 3.22-community 1.11.5-r0 None possibly vulnerable
go 3.22-community 1.9.4-r0 None possibly vulnerable
go 3.21-community 1.20.1-r0 None fixed
go 3.20-community 1.20.1-r0 None fixed
go 3.19-community 1.20.1-r0 None fixed
go 3.18-community 1.20.1-r0 None fixed
go 3.17-community 1.19.6-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed