CVE-2022-41723 - OpenCVE

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Golang	Go Hpack Http2

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go:1.20.0:-::::::
	cpe:2.3:a:golang:hpack::::::go::*
	cpe:2.3:a:golang:http2::::::go::*

References

Link	Resource
https://go.dev/cl/468135	Patch
https://go.dev/cl/468295	Patch
https://go.dev/issue/57855	Issue Tracking
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E	Mailing List Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/	Third Party Advisory
https://pkg.go.dev/vuln/GO-2023-1571	Vendor Advisory
https://security.gentoo.org/glsa/202311-09
https://www.couchbase.com/alerts/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Go

Published: 2023-02-28T17:19:45.801Z

Updated: 2023-07-11T19:21:27.617Z

Reserved: 2022-09-28T17:00:06.610Z

Link: CVE-2022-41723

JSON object: View

NVD Information

Status : Modified

Published: 2023-02-28T18:15:09.980

Modified: 2023-11-25T11:15:10.090

Link: CVE-2022-41723

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-41723", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2022-09-28T17:00:06.610Z", "datePublished": "2023-02-28T17:19:45.801Z", "dateUpdated": "2023-07-11T19:21:27.617Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-07-11T19:21:27.617Z"}, "title": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net", "descriptions": [{"lang": "en", "value": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests."}], "affected": [{"vendor": "Go standard library", "product": "net/http", "collectionURL": "https://pkg.go.dev", "packageName": "net/http", "versions": [{"version": "0", "lessThan": "1.19.6", "status": "affected", "versionType": "semver"}, {"version": "1.20.0-0", "lessThan": "1.20.1", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "Transport.RoundTrip"}, {"name": "Server.Serve"}, {"name": "Client.Do"}, {"name": "Client.Get"}, {"name": "Client.Head"}, {"name": "Client.Post"}, {"name": "Client.PostForm"}, {"name": "Get"}, {"name": "Head"}, {"name": "ListenAndServe"}, {"name": "ListenAndServeTLS"}, {"name": "Post"}, {"name": "PostForm"}, {"name": "Serve"}, {"name": "ServeTLS"}, {"name": "Server.ListenAndServe"}, {"name": "Server.ListenAndServeTLS"}, {"name": "Server.ServeTLS"}], "defaultStatus": "unaffected"}, {"vendor": "golang.org/x/net", "product": "golang.org/x/net/http2", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/net/http2", "versions": [{"version": "0", "lessThan": "0.7.0", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "Transport.RoundTrip"}, {"name": "Server.ServeConn"}, {"name": "ClientConn.Close"}, {"name": "ClientConn.Ping"}, {"name": "ClientConn.RoundTrip"}, {"name": "ClientConn.Shutdown"}, {"name": "ConfigureServer"}, {"name": "ConfigureTransport"}, {"name": "ConfigureTransports"}, {"name": "ConnectionError.Error"}, {"name": "ErrCode.String"}, {"name": "FrameHeader.String"}, {"name": "FrameType.String"}, {"name": "FrameWriteRequest.String"}, {"name": "Framer.ReadFrame"}, {"name": "Framer.WriteContinuation"}, {"name": "Framer.WriteData"}, {"name": "Framer.WriteDataPadded"}, {"name": "Framer.WriteGoAway"}, {"name": "Framer.WriteHeaders"}, {"name": "Framer.WritePing"}, {"name": "Framer.WritePriority"}, {"name": "Framer.WritePushPromise"}, {"name": "Framer.WriteRSTStream"}, {"name": "Framer.WriteRawFrame"}, {"name": "Framer.WriteSettings"}, {"name": "Framer.WriteSettingsAck"}, {"name": "Framer.WriteWindowUpdate"}, {"name": "GoAwayError.Error"}, {"name": "ReadFrameHeader"}, {"name": "Setting.String"}, {"name": "SettingID.String"}, {"name": "SettingsFrame.ForeachSetting"}, {"name": "StreamError.Error"}, {"name": "Transport.CloseIdleConnections"}, {"name": "Transport.NewClientConn"}, {"name": "Transport.RoundTripOpt"}, {"name": "bufferedWriter.Flush"}, {"name": "bufferedWriter.Write"}, {"name": "chunkWriter.Write"}, {"name": "clientConnPool.GetClientConn"}, {"name": "connError.Error"}, {"name": "dataBuffer.Read"}, {"name": "duplicatePseudoHeaderError.Error"}, {"name": "gzipReader.Close"}, {"name": "gzipReader.Read"}, {"name": "headerFieldNameError.Error"}, {"name": "headerFieldValueError.Error"}, {"name": "noDialClientConnPool.GetClientConn"}, {"name": "noDialH2RoundTripper.RoundTrip"}, {"name": "pipe.Read"}, {"name": "priorityWriteScheduler.CloseStream"}, {"name": "priorityWriteScheduler.OpenStream"}, {"name": "pseudoHeaderError.Error"}, {"name": "requestBody.Close"}, {"name": "requestBody.Read"}, {"name": "responseWriter.Flush"}, {"name": "responseWriter.FlushError"}, {"name": "responseWriter.Push"}, {"name": "responseWriter.SetReadDeadline"}, {"name": "responseWriter.SetWriteDeadline"}, {"name": "responseWriter.Write"}, {"name": "responseWriter.WriteHeader"}, {"name": "responseWriter.WriteString"}, {"name": "serverConn.CloseConn"}, {"name": "serverConn.Flush"}, {"name": "stickyErrWriter.Write"}, {"name": "transportResponseBody.Close"}, {"name": "transportResponseBody.Read"}, {"name": "writeData.String"}], "defaultStatus": "unaffected"}, {"vendor": "golang.org/x/net", "product": "golang.org/x/net/http2/hpack", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/net/http2/hpack", "versions": [{"version": "0", "lessThan": "0.7.0", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "Decoder.parseFieldLiteral"}, {"name": "Decoder.readString"}, {"name": "Decoder.DecodeFull"}, {"name": "Decoder.Write"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 400: Uncontrolled Resource Consumption"}]}], "references": [{"url": "https://go.dev/issue/57855"}, {"url": "https://go.dev/cl/468135"}, {"url": "https://go.dev/cl/468295"}, {"url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"}, {"url": "https://pkg.go.dev/vuln/GO-2023-1571"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/"}, {"url": "https://www.couchbase.com/alerts/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"}, {"url": "https://security.gentoo.org/glsa/202311-09"}], "credits": [{"lang": "en", "value": "Philippe Antoine (Catena cyber)"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "2219CF76-6D17-487E-9B67-BC49E4743528", "versionEndExcluding": "1.19.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:1.20.0:-:*:*:*:*:*:*", "matchCriteriaId": "B78574DF-045C-4A26-B0F5-8C082B24D9FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:hpack:*:*:*:*:*:go:*:*", "matchCriteriaId": "CA68ED61-191E-4903-B65D-CBA7A0370B8E", "versionEndExcluding": "0.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:http2:*:*:*:*:*:go:*:*", "matchCriteriaId": "3EBDC12D-E7B0-4138-B6B1-709E61703629", "versionEndExcluding": "0.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests."}], "id": "CVE-2022-41723", "lastModified": "2023-11-25T11:15:10.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-28T18:15:09.980", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/468135"}, {"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/468295"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/57855"}, {"source": "security@golang.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"}, {"source": "security@golang.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/"}, {"source": "security@golang.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/"}, {"source": "security@golang.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-1571"}, {"source": "security@golang.org", "url": "https://security.gentoo.org/glsa/202311-09"}, {"source": "security@golang.org", "url": "https://www.couchbase.com/alerts/"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}