CVE-2023-39326

Denial of service via chunk extensions in net/http

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

Un remitente HTTP malicioso puede usar extensiones de fragmentos para hacer que un receptor que lea el cuerpo de una solicitud o respuesta lea muchos más bytes de la red que los que hay en el cuerpo. Un cliente HTTP malicioso puede aprovechar esto aún más para hacer que un servidor lea automáticamente una gran cantidad de datos (hasta aproximadamente 1 GiB) cuando un controlador no puede leer el cuerpo completo de una solicitud. Las extensiones fragmentadas son una característica HTTP poco utilizada que permite incluir metadatos adicionales en el cuerpo de una solicitud o respuesta enviada utilizando la codificación fragmentada. El lector de codificación fragmentada net/http descarta estos metadatos. Un remitente puede aprovechar esto insertando un segmento de metadatos grande con cada byte transferido. El lector de fragmentos ahora produce un error si la proporción entre el cuerpo real y los bytes codificados es demasiado pequeña.

A flaw was found in the Golang net/http/internal package. This issue may allow a malicious user to send an HTTP request and cause the receiver to read more bytes from network than are in the body (up to 1GiB), causing the receiver to fail reading the response, possibly leading to a Denial of Service (DoS).

*Credits: Bartek Nowotarski

CVSS Scores

NISTv3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-07-27 CVE Reserved
2023-12-06 CVE Published
2023-12-13 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (7)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G

URL	Date	SRC

URL	Date	SRC
https://go.dev/cl/547335	2024-01-20
https://go.dev/issue/64433	2024-01-20
https://pkg.go.dev/vuln/GO-2023-2382	2024-01-20

URL	Date	SRC
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ	2024-01-20
https://access.redhat.com/security/cve/CVE-2023-39326	2024-06-17
https://bugzilla.redhat.com/show_bug.cgi?id=2253330	2024-06-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				< 1.20.12 Search vendor "Golang" for product "Go" and version " < 1.20.12"		-		Affected
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				>= 1.21.0-0 < 1.21.5 Search vendor "Golang" for product "Go" and version " >= 1.21.0-0 < 1.21.5"		-		Affected