CVE-2023-45288

CVE-2023-45288

Name

CVE-2023-45288

Description

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security@golang.org	https://go.dev/cl/576155
security@golang.org	https://go.dev/issue/65051
security@golang.org	https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
security@golang.org	https://pkg.go.dev/vuln/GO-2024-2687
security@golang.org	https://security.netapp.com/advisory/ntap-20240419-0009/
security@golang.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/
security@golang.org	http://www.openwall.com/lists/oss-security/2024/04/05/4
security@golang.org	http://www.openwall.com/lists/oss-security/2024/04/03/16
af854a3a-2127-422b-91ae-364da2661108	https://www.kb.cert.org/vuls/id/421644

Type

URI

security@golang.org

https://go.dev/cl/576155

security@golang.org

https://go.dev/issue/65051

security@golang.org

https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M

security@golang.org

https://pkg.go.dev/vuln/GO-2024-2687

security@golang.org

https://security.netapp.com/advisory/ntap-20240419-0009/

security@golang.org

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/

security@golang.org

http://www.openwall.com/lists/oss-security/2024/04/05/4

security@golang.org

http://www.openwall.com/lists/oss-security/2024/04/03/16

af854a3a-2127-422b-91ae-364da2661108

https://www.kb.cert.org/vuls/id/421644

Source package	Min version	Max version
net/http	>= 0	< 1.21.9
net/http	>= 1.22.0-0	< 1.22.2
golang.org/x/net/http2	>= 0	< 0.23.0

CPE URI

Source package

Min version

Max version

net/http

>= 0

< 1.21.9

net/http

>= 1.22.0-0

< 1.22.2

golang.org/x/net/http2

>= 0

< 0.23.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
rclone	edge-community	1.67.0-r0	Mike Crute <mike@crute.us>	fixed
rclone	3.22-community	1.67.0-r0	None	fixed
rclone	3.21-community	1.67.0-r0	None	fixed
go	edge-community	1.22.2-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	fixed
go	3.22-community	1.22.2-r0	None	fixed
go	3.21-community	1.22.2-r0	None	fixed
go	3.20-community	1.22.2-r0	None	fixed
go	3.19-community	1.21.9-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	fixed
forgejo	edge-community	1.21.10.0-r0	None	fixed
forgejo	3.22-community	1.21.10.0-r0	None	fixed
forgejo	3.21-community	1.21.10.0-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

rclone

edge-community

1.67.0-r0

Mike Crute <mike@crute.us>

fixed

rclone

3.22-community