CVE-2023-45288 – HTTP/2 CONTINUATION flood in net/http
https://notcve.org/view.php?id=CVE-2023-45288
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. • http://www.openwall.com/lists/oss-security/2024/04/03/16 http://www.openwall.com/lists/oss-security/2024/04/05/4 https://go.dev/cl/576155 https://go.dev/issue/65051 https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT https://pkg.go.dev/vuln/GO-2024-2687 https://security.netapp.com/advisory/ntap-20240419-0009 https://access.redhat.com/security/ • CWE-400: Uncontrolled Resource Consumption •
CVE-2024-24786 – Infinite loop in JSON unmarshaling in google.golang.org/protobuf
https://notcve.org/view.php?id=CVE-2024-24786
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. La función protojson.Unmarshal puede entrar en un bucle infinito al descomponer ciertas formas de JSON no válido. Esta condición puede ocurrir al descomponer en un mensaje que contiene un valor google.protobuf.Any, o cuando la opción UnmarshalOptions.DiscardUnknown está configurada. A flaw was found in Golang's protobuf module, where the unmarshal function can enter an infinite loop when processing certain invalid inputs. • http://www.openwall.com/lists/oss-security/2024/03/08/4 https://go.dev/cl/569356 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU https://pkg.go.dev/vuln/GO-2024-2611 https://security.netapp.com/advisory/ntap-20240517-0002 https://access.redhat.com/security/cve/CVE-2024-24786 https://bugzilla.redhat.com/show_bug.cgi?id=2268046 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2023-48795 – ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
https://notcve.org/view.php?id=CVE-2023-48795
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. • http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html http://seclists.org/fulldisclosure/2024/Mar/21 http://www.openwall.com/lists/oss-security/2023/12/18/3 http://www.openwall.com/lists/oss-security/2023/12/19/5 http://www.openwall.com/lists/oss-security/2023/12/20/3 http://www.openwall.com/lists/oss-security/2024/03/06/3 http://www.openwall.com/lists/oss-security/2024/04/17/8 https://access.redhat.com/security/cve/cve-2023-48 • CWE-222: Truncation of Security-relevant Information CWE-354: Improper Validation of Integrity Check Value •
CVE-2023-45285 – Command 'go get' may unexpectedly fallback to insecure git in cmd/go
https://notcve.org/view.php?id=CVE-2023-45285
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). El uso de go get para buscar un módulo con el sufijo ".git" puede recurrir inesperadamente al protocolo inseguro "git://" si el módulo no está disponible a través de "https://" y "git+ssh://" seguros, protocolos, incluso si GOINSECURE no está configurado para dicho módulo. Esto sólo afecta a los usuarios que no utilizan el proxy del módulo y están obteniendo módulos directamente (es decir, GOPROXY = desactivado). • https://go.dev/cl/540257 https://go.dev/issue/63845 https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G https://pkg.go.dev/vuln/GO-2023-2383 https://access.redhat.com/security/cve/CVE-2023-45285 https://bugzilla.redhat.com/show_bug.cgi?id=2253323 • CWE-693: Protection Mechanism Failure •
CVE-2023-39326 – Denial of service via chunk extensions in net/http
https://notcve.org/view.php?id=CVE-2023-39326
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. • https://go.dev/cl/547335 https://go.dev/issue/64433 https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G https://pkg.go.dev/vuln/GO-2023-2382 https://access.redhat.com/security/cve/CVE-2023-39326 https://bugzilla.redhat.com/show_bug.cgi?id=2253330 • CWE-400: Uncontrolled Resource Consumption •