Page 7 of 123 results (0.028 seconds)

CVSS: 7.5EPSS: 4%CPEs: 4EXPL: 0

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests. • https://go.dev/cl/468135 https://go.dev/cl/468295 https://go.dev/issue/57855 https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU https://lists • CWE-400: Uncontrolled Resource Consumption •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert). A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. • https://go.dev/cl/468125 https://go.dev/issue/58001 https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E https://pkg.go.dev/vuln/GO-2023-1570 https://security.gentoo.org/glsa/202311-09 https://access.redhat.com/security/cve/CVE-2022-41724 https://bugzilla.redhat.com/show_bug.cgi?id=2178492 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. • https://go.dev/cl/468124 https://go.dev/issue/58006 https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E https://pkg.go.dev/vuln/GO-2023-1569 https://security.gentoo.org/glsa/202311-09 https://access.redhat.com/security/cve/CVE-2022-41725 https://bugzilla.redhat.com/show_bug.cgi?id=2178488 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ". • https://go.dev/cl/468123 https://go.dev/issue/57274 https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E https://pkg.go.dev/vuln/GO-2023-1568 https://access.redhat.com/security/cve/CVE-2022-41722 https://bugzilla.redhat.com/show_bug.cgi?id=2203008 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. Un atacante puede provocar un crecimiento excesivo de la memoria en un servidor Go que acepta solicitudes HTTP/2. Las conexiones del servidor HTTP/2 contienen un caché de claves de encabezado HTTP enviadas por el cliente. • https://go.dev/cl/455635 https://go.dev/cl/455717 https://go.dev/issue/56350 https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4 https • CWE-770: Allocation of Resources Without Limits or Throttling •