CVE-2021-44716
golang: net/http: limit growth of header canonicalization cache
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
net/http en Go versiones anteriores a 1.16.12 y versiones 1.17.x anteriores a 1.17.5, permite un consumo no controlado de memoria en la caché de canonización del encabezado por medio de peticiones HTTP/2.
There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-12-07 CVE Reserved
- 2021-12-16 CVE Published
- 2024-08-04 CVE Updated
- 2024-11-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf |
|
|
| https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20220121-0002 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://groups.google.com/g/golang-announce/c/hcmEScgc00k | 2023-04-20 |
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/202208-02 | 2023-04-20 | |
| https://access.redhat.com/security/cve/CVE-2021-44716 | 2023-01-25 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2030801 | 2023-01-25 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.16.12 Search vendor "Golang" for product "Go" and version " < 1.16.12" | - |
Affected
| ||||||
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.17.0 < 1.17.5 Search vendor "Golang" for product "Go" and version " >= 1.17.0 < 1.17.5" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Cloud Insights Telegraf Search vendor "Netapp" for product "Cloud Insights Telegraf" | - | - |
Affected
| ||||||