HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.

CPENameOperatorVersion
golangge1.20.0
golanglt1.19.8
golanglt1.20.3

Name	Operator	Version
golang	ge	1.20.0
golang	lt	1.19.8
golang	lt	1.20.3

References

go.dev/cl/481994

go.dev/issue/58975

groups.google.com/g/golang-announce/c/Xdv6JL9ENs8

pkg.go.dev/vuln/GO-2023-1704

security.gentoo.org/glsa/202311-09

security.netapp.com/advisory/ntap-20230526-0007/

nessus 61

cve 1

redhatcve 1

cvelist 1

veracode 2

amazon 3

debiancve 1

ibm 18

ubuntucve 1

osv 13

wolfi 1

cgr 1

prion 1

alpinelinux 1

cbl_mariner 3

freebsd 2

github 1

redhat 40

openvas 12

altlinux 1

mageia 1

almalinux 8

ubuntu 3

oraclelinux 7

redos 1

photon 7

gentoo 1

nessus

Amazon Linux 2 : golang (ALAS-2023-2037)

2023-05-17 00:00:00

EulerOS 2.0 SP9 : golang (EulerOS-SA-2023-2314)

2023-07-09 00:00:00

RHEL 9 : OpenShift Container Platform 4.13.8 (RHSA-2023:4459)

2024-04-28 00:00:00

cve

CVE-2023-24534

2023-04-06 16:15:07

redhatcve

CVE-2023-24534

2023-04-04 20:43:18

cvelist

CVE-2023-24534 Excessive memory allocation in net/http and net/textproto

2023-04-06 15:50:45

veracode

Denial Of Service (DoS)

2023-04-11 23:43:20

Denial Of Service (DoS)

2023-04-18 10:56:33

amazon

Important: golang

2023-05-11 17:49:00

Important: golang

2023-04-13 19:28:00

Important: golang

2023-04-13 19:01:00

debiancve

CVE-2023-24534

2023-04-06 16:15:07

ibm

Security Bulletin: IBM App Connect Enterprise Certified Container operands and operator may be vulnerable to denial of service due to [CVE-2023-24534]

2023-06-28 15:22:43

Security Bulletin: IBM Storage Protect Server is vulnerable to denial of service due to Golang Go ( CVE-2023-24534 )

2023-07-24 16:11:55

Security Bulletin: Operations Dashboard is vulnerable to denial of service due to Go (CVE-2023-24534)

2023-10-02 13:50:14

ubuntucve

CVE-2023-24534

2023-04-06 00:00:00

osv

Excessive memory allocation in net/http and net/textproto

2023-04-05 21:04:28

CVE-2023-24534

2023-04-06 16:15:07

Traefik HTTP header parsing could cause a denial of service

2023-04-11 20:59:22

wolfi

CVE-2023-24534 vulnerabilities

2024-06-01 15:24:07

cgr

CVE-2023-24534 vulnerabilities

2024-05-19 03:07:16

prion

Design/Logic Flaw

2023-04-06 16:15:00

alpinelinux

CVE-2023-24534

2023-04-06 16:15:07

cbl_mariner

CVE-2023-24534 affecting package msft-golang for versions less than 1.20.7-1

2024-06-01 15:23:42

CVE-2023-24534 affecting package golang for versions less than 1.20.7-1

2024-06-01 15:23:42

CVE-2023-24534 affecting package golang for versions less than 1.20.7-1

2024-06-01 15:23:35

freebsd

traefik -- Use of vulnerable Go modules net/http, net/textproto

2023-03-10 00:00:00

go -- multiple vulnerabilities

2023-04-04 00:00:00

github

Traefik HTTP header parsing could cause a denial of service

2023-04-11 20:59:22

redhat

(RHSA-2023:4459) Moderate: OpenShift Container Platform 4.13.8 packages and security update

2023-08-08 11:24:53

(RHSA-2023:4986) Moderate: Red Hat OpenShift Distributed Tracing 2.9.0 security update

2023-09-06 07:54:47

(RHSA-2023:3536) Important: OpenShift Container Platform 4.13.3 packages and security update

2023-06-13 13:18:37

openvas

Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2023-2314)

2023-07-10 00:00:00

Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2023-2334)

2023-07-10 00:00:00

SUSE: Security Advisory (SUSE-SU-2023:1792-1)

2023-04-07 00:00:00

altlinux

Security fix for the ALT Linux 10 package golang version 1.19.8-alt1

2023-04-10 00:00:00

mageia

Updated golang packages fix security vulnerability

2023-04-15 22:03:44

almalinux

Moderate: grafana security and enhancement update

2023-11-07 00:00:00

Moderate: toolbox security and bug fix update

2023-11-07 00:00:00

Moderate: containernetworking-plugins security and bug fix update

2023-11-07 00:00:00

ubuntu

Go vulnerabilities

2023-06-06 00:00:00

Go vulnerabilities

2023-04-25 00:00:00

Go vulnerabilities

2024-01-09 00:00:00

oraclelinux

grafana security and enhancement update

2023-11-11 00:00:00

skopeo security update

2023-11-11 00:00:00

containernetworking-plugins security and bug fix update

2023-11-11 00:00:00

redos

ROS-20240418-06

2024-04-18 00:00:00

photon

Critical Photon OS Security Update - PHSA-2023-5.0-0037

2023-06-23 00:00:00

Critical Photon OS Security Update - PHSA-2023-4.0-0425

2023-07-12 00:00:00

Critical Photon OS Security Update - PHSA-2023-5.0-0043

2023-07-04 00:00:00

gentoo

Go: Multiple Vulnerabilities

2023-11-25 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

7.8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.5%

JSON

Related for OSV:BIT-GOLANG-2023-24534