CVE-2023-45290 – Memory exhaustion in multipart form parsing in net/textproto and net/http
https://notcve.org/view.php?id=CVE-2023-45290
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. Al analizar un formulario de varias partes (ya sea explícitamente con Request.ParseMultipartForm o implícitamente con Request.FormValue, Request.PostFormValue o Request.FormFile), no se aplicaron límites en el tamaño total del formulario analizado a la memoria consumida al leer un solo formulario línea. Esto permite que una entrada creada con fines malintencionados que contenga líneas muy largas provoque la asignación de cantidades de memoria arbitrariamente grandes, lo que podría provocar un agotamiento de la memoria. • http://www.openwall.com/lists/oss-security/2024/03/08/4 https://go.dev/cl/569341 https://go.dev/issue/65383 https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg https://pkg.go.dev/vuln/GO-2024-2599 https://security.netapp.com/advisory/ntap-20240329-0004 https://access.redhat.com/security/cve/CVE-2023-45290 https://bugzilla.redhat.com/show_bug.cgi?id=2268017 • CWE-20: Improper Input Validation CWE-770: Allocation of Resources Without Limits or Throttling •