7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.7 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
59.0%
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.
With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.
This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.
The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
CPE | Name | Operator | Version |
---|---|---|---|
golang.org/x/net | lt | 0.17.0 |
github.com/advisories/GHSA-4374-p667-p6c8
github.com/golang/go/issues/63417
go.dev/cl/534215
go.dev/cl/534235
go.dev/issue/63417
groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ
lists.fedoraproject.org/archives/list/[email protected]/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O
lists.fedoraproject.org/archives/list/[email protected]/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH
lists.fedoraproject.org/archives/list/[email protected]/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4
lists.fedoraproject.org/archives/list/[email protected]/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2
lists.fedoraproject.org/archives/list/[email protected]/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR
lists.fedoraproject.org/archives/list/[email protected]/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647
lists.fedoraproject.org/archives/list/[email protected]/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B
lists.fedoraproject.org/archives/list/[email protected]/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2
lists.fedoraproject.org/archives/list/[email protected]/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L
lists.fedoraproject.org/archives/list/[email protected]/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD
lists.fedoraproject.org/archives/list/[email protected]/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT
lists.fedoraproject.org/archives/list/[email protected]/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7
lists.fedoraproject.org/archives/list/[email protected]/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE
lists.fedoraproject.org/archives/list/[email protected]/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6
lists.fedoraproject.org/archives/list/[email protected]/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P
lists.fedoraproject.org/archives/list/[email protected]/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE
lists.fedoraproject.org/archives/list/[email protected]/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6
lists.fedoraproject.org/archives/list/[email protected]/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z
lists.fedoraproject.org/archives/list/[email protected]/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7
lists.fedoraproject.org/archives/list/[email protected]/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67
lists.fedoraproject.org/archives/list/[email protected]/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q
lists.fedoraproject.org/archives/list/[email protected]/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74
lists.fedoraproject.org/archives/list/[email protected]/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I
lists.fedoraproject.org/archives/list/[email protected]/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST
lists.fedoraproject.org/archives/list/[email protected]/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS
lists.fedoraproject.org/archives/list/[email protected]/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU
lists.fedoraproject.org/archives/list/[email protected]/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI
lists.fedoraproject.org/archives/list/[email protected]/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ
lists.fedoraproject.org/archives/list/[email protected]/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP
lists.fedoraproject.org/archives/list/[email protected]/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2
lists.fedoraproject.org/archives/list/[email protected]/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH
lists.fedoraproject.org/archives/list/[email protected]/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2
lists.fedoraproject.org/archives/list/[email protected]/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY
lists.fedoraproject.org/archives/list/[email protected]/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4
lists.fedoraproject.org/archives/list/[email protected]/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P
lists.fedoraproject.org/archives/list/[email protected]/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV
nvd.nist.gov/vuln/detail/CVE-2023-39325
pkg.go.dev/vuln/GO-2023-2102
security.gentoo.org/glsa/202311-09
security.netapp.com/advisory/ntap-20231110-0008
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.7 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
59.0%