CVE-2023-45288
HTTP/2 CONTINUATION flood in net/http
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Un atacante puede hacer que un endpoint HTTP/2 lea cantidades arbitrarias de datos de encabezado enviando una cantidad excesiva de tramas de CONTINUACIÓN. Mantener el estado de HPACK requiere analizar y procesar todos los encabezados y tramas de CONTINUACIÓN en una conexión. Cuando los encabezados de una solicitud exceden MaxHeaderBytes, no se asigna memoria para almacenar los encabezados sobrantes, pero aún así se analizan. Esto permite a un atacante hacer que un endpoint HTTP/2 lea cantidades arbitrarias de datos de encabezado, todos asociados con una solicitud que será rechazada. Estos encabezados pueden incluir datos codificados por Huffman, cuya decodificación es significativamente más costosa para el receptor que para el atacante. La solución establece un límite en la cantidad de fotogramas de encabezado excedentes que procesaremos antes de cerrar una conexión.
A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service (DoS) attack.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-10-06 CVE Reserved
- 2024-04-04 CVE Published
- 2024-04-25 EPSS Updated
- 2024-08-26 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (10)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-45288 | 2024-09-18 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2268273 | 2024-09-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Go Standard Library Search vendor "Go Standard Library" | Net/http Search vendor "Go Standard Library" for product "Net/http" | < 1.21.9 Search vendor "Go Standard Library" for product "Net/http" and version " < 1.21.9" | en |
Affected
| ||||||
| Go Standard Library Search vendor "Go Standard Library" | Net/http Search vendor "Go Standard Library" for product "Net/http" | >= 1.22.0-0 < 1.22.2 Search vendor "Go Standard Library" for product "Net/http" and version " >= 1.22.0-0 < 1.22.2" | en |
Affected
| ||||||
| Golang.org/x/net Search vendor "Golang.org/x/net" | Golang.org/x/net/http2 Search vendor "Golang.org/x/net" for product "Golang.org/x/net/http2" | < 0.23.0 Search vendor "Golang.org/x/net" for product "Golang.org/x/net/http2" and version " < 0.23.0" | en |
Affected
| ||||||