CVE-2022-41717
Excessive memory growth in net/http and golang.org/x/net/http2
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Un atacante puede provocar un crecimiento excesivo de la memoria en un servidor Go que acepta solicitudes HTTP/2. Las conexiones del servidor HTTP/2 contienen un caché de claves de encabezado HTTP enviadas por el cliente. Si bien el número total de entradas en esta caché está limitado, un atacante que envía claves muy grandes puede hacer que el servidor asigne aproximadamente 64 MiB por conexión abierta.
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-28 CVE Reserved
- 2022-12-08 CVE Published
- 2022-12-13 First Exploit
- 2025-02-13 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (26)
| URL | Date | SRC |
|---|---|---|
| https://github.com/domdom82/h2conn-exploit | 2022-12-13 |
| URL | Date | SRC |
|---|---|---|
| https://go.dev/cl/455635 | 2024-01-18 | |
| https://go.dev/cl/455717 | 2024-01-18 | |
| https://go.dev/issue/56350 | 2024-01-18 |
| URL | Date | SRC |
|---|---|---|
| https://pkg.go.dev/vuln/GO-2022-1144 | 2024-01-18 | |
| https://access.redhat.com/security/cve/CVE-2022-41717 | 2024-02-08 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2161274 | 2024-02-08 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.18.9 Search vendor "Golang" for product "Go" and version " < 1.18.9" | - |
Affected
| ||||||
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.19.0 < 1.19.4 Search vendor "Golang" for product "Go" and version " >= 1.19.0 < 1.19.4" | - |
Affected
| ||||||
| Golang Search vendor "Golang" | Http2 Search vendor "Golang" for product "Http2" | < 0.4.0 Search vendor "Golang" for product "Http2" and version " < 0.4.0" | go |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
| ||||||