Page 6 of 31 results (0.018 seconds)

CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. • https://go.dev/cl/482075 https://go.dev/cl/482076 https://go.dev/cl/482077 https://go.dev/issue/59153 https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 https://pkg.go.dev/vuln/GO-2023-1705 https://security.gentoo.org/glsa/202311-09 https://security.netapp.com/advisory/ntap-20230526-0007 https://access.redhat.com/security/cve/CVE-2023-24536 https://bugzilla.redhat.com/show_bug.cgi?id=2184482 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh. A flaw was found in the crypto/internal/nistec golang library. The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars, such as a scalar larger than the order of the curve. This does not impact usages of crypto/ecdsa or crypto/ecdh. • https://go.dev/cl/471255 https://go.dev/issue/58647 https://groups.google.com/g/golang-announce/c/3-TpUx48iQY https://pkg.go.dev/vuln/GO-2023-1621 https://access.redhat.com/security/cve/CVE-2023-24532 https://bugzilla.redhat.com/show_bug.cgi?id=2223355 • CWE-682: Incorrect Calculation •

CVSS: 7.5EPSS: 4%CPEs: 4EXPL: 0

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests. • https://go.dev/cl/468135 https://go.dev/cl/468295 https://go.dev/issue/57855 https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU https://lists • CWE-400: Uncontrolled Resource Consumption •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert). A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. • https://go.dev/cl/468125 https://go.dev/issue/58001 https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E https://pkg.go.dev/vuln/GO-2023-1570 https://security.gentoo.org/glsa/202311-09 https://access.redhat.com/security/cve/CVE-2022-41724 https://bugzilla.redhat.com/show_bug.cgi?id=2178492 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. • https://go.dev/cl/468124 https://go.dev/issue/58006 https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E https://pkg.go.dev/vuln/GO-2023-1569 https://security.gentoo.org/glsa/202311-09 https://access.redhat.com/security/cve/CVE-2022-41725 https://bugzilla.redhat.com/show_bug.cgi?id=2178488 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •