{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-39326", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2023-07-27T17:05:55.188Z", "datePublished": "2023-12-06T16:27:53.832Z", "dateUpdated": "2023-12-06T16:27:53.832Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-12-06T16:27:53.832Z"}, "title": "Denial of service via chunk extensions in net/http", "descriptions": [{"lang": "en", "value": "A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small."}], "affected": [{"vendor": "Go standard library", "product": "net/http/internal", "collectionURL": "https://pkg.go.dev", "packageName": "net/http/internal", "versions": [{"version": "0", "lessThan": "1.20.12", "status": "affected", "versionType": "semver"}, {"version": "1.21.0-0", "lessThan": "1.21.5", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "chunkedReader.beginChunk"}, {"name": "readChunkLine"}, {"name": "chunkedReader.Read"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "references": [{"url": "https://go.dev/issue/64433"}, {"url": "https://go.dev/cl/547335"}, {"url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"}, {"url": "https://pkg.go.dev/vuln/GO-2023-2382"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/"}], "credits": [{"lang": "en", "value": "Bartek Nowotarski"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "17AC9A37-6678-490D-88C2-08DE6D37F16C", "versionEndExcluding": "1.20.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "F9B8295D-576D-410E-B65C-96DB303CBA5C", "versionEndExcluding": "1.21.5", "versionStartIncluding": "1.21.0-0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small."}, {"lang": "es", "value": "Un remitente HTTP malicioso puede usar extensiones de fragmentos para hacer que un receptor que lea el cuerpo de una solicitud o respuesta lea muchos m\u00e1s bytes de la red que los que hay en el cuerpo. Un cliente HTTP malicioso puede aprovechar esto a\u00fan m\u00e1s para hacer que un servidor lea autom\u00e1ticamente una gran cantidad de datos (hasta aproximadamente 1 GiB) cuando un controlador no puede leer el cuerpo completo de una solicitud. Las extensiones fragmentadas son una caracter\u00edstica HTTP poco utilizada que permite incluir metadatos adicionales en el cuerpo de una solicitud o respuesta enviada utilizando la codificaci\u00f3n fragmentada. El lector de codificaci\u00f3n fragmentada net/http descarta estos metadatos. Un remitente puede aprovechar esto insertando un segmento de metadatos grande con cada byte transferido. El lector de fragmentos ahora produce un error si la proporci\u00f3n entre el cuerpo real y los bytes codificados es demasiado peque\u00f1a."}], "id": "CVE-2023-39326", "lastModified": "2024-01-20T04:15:07.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-06T17:15:07.147", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/547335"}, {"source": "security@golang.org", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://go.dev/issue/64433"}, {"source": "security@golang.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"}, {"source": "security@golang.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/"}, {"source": "security@golang.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-2382"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}