CVE-2023-45288

HTTP/2 CONTINUATION flood in net/http

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Un atacante puede hacer que un endpoint HTTP/2 lea cantidades arbitrarias de datos de encabezado enviando una cantidad excesiva de tramas de CONTINUACIÓN. Mantener el estado de HPACK requiere analizar y procesar todos los encabezados y tramas de CONTINUACIÓN en una conexión. Cuando los encabezados de una solicitud exceden MaxHeaderBytes, no se asigna memoria para almacenar los encabezados sobrantes, pero aún así se analizan. Esto permite a un atacante hacer que un endpoint HTTP/2 lea cantidades arbitrarias de datos de encabezado, todos asociados con una solicitud que será rechazada. Estos encabezados pueden incluir datos codificados por Huffman, cuya decodificación es significativamente más costosa para el receptor que para el atacante. La solución establece un límite en la cantidad de fotogramas de encabezado excedentes que procesaremos antes de cerrar una conexión.

A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service (DoS) attack.

This update for kubernetes1.23 fixes the following issues. Escape, meta and control sequences in raw data output to terminal not neutralized. Bypass of policies imposed by the ImagePolicyWebhook admission plugin. Bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin. Go1.20: excessive resource consumption when dealing with rapid stream resets. Google.golang.org/grpc, kube-apiserver: HTTP/2 rapid reset vulnerability. Golang.org/x/net: excessive CPU consumption when processing unlimited sets of headers. Kube-controller-manager pod crash when processing malformed HPA v1 manifests. Bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin. Github.com/golang/protobuf: infinite loop when unmarshaling invalid JSON. Bug fixes. Use -trimpath in non-DBG mode for reproducible builds. Fixed multiple issues for successful 'kubeadm init' run. Update go to version 1.22.5 in build requirements.

*Credits: Bartek Nowotarski (https://nowotarski.info/)

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-06 CVE Reserved
2024-04-04 CVE Published
2024-10-23 First Exploit
2025-02-13 CVE Updated
2025-07-22 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (11)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/04/03/16
http://www.openwall.com/lists/oss-security/2024/04/05/4
https://go.dev/cl/576155
https://go.dev/issue/65051
https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT
https://pkg.go.dev/vuln/GO-2024-2687
https://security.netapp.com/advisory/ntap-20240419-0009

URL	Date	SRC
https://github.com/hex0punk/cont-flood-poc	2024-10-23

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-45288	2025-05-28
https://bugzilla.redhat.com/show_bug.cgi?id=2268273	2025-05-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Go Standard Library Search vendor "Go Standard Library"		Net/http Search vendor "Go Standard Library" for product "Net/http"				< 1.21.9 Search vendor "Go Standard Library" for product "Net/http" and version " < 1.21.9"		en		Affected
Go Standard Library Search vendor "Go Standard Library"		Net/http Search vendor "Go Standard Library" for product "Net/http"				>= 1.22.0-0 < 1.22.2 Search vendor "Go Standard Library" for product "Net/http" and version " >= 1.22.0-0 < 1.22.2"		en		Affected
Golang.org/x/net Search vendor "Golang.org/x/net"		Golang.org/x/net/http2 Search vendor "Golang.org/x/net" for product "Golang.org/x/net/http2"				< 0.23.0 Search vendor "Golang.org/x/net" for product "Golang.org/x/net/http2" and version " < 0.23.0"		en		Affected