5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.7 Medium
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
19.3%
A malicious HTTP sender can use chunk extensions to cause a receiver
reading from a request or response body to read many more bytes from the
network than are in the body. A malicious HTTP client can further exploit
this to cause a server to automatically read a large amount of data (up to
about 1GiB) when a handler fails to read the entire body of a request.
Chunk extensions are a little-used HTTP feature which permit including
additional metadata in a request or response body sent using the chunked
encoding. The net/http chunked encoding reader discards this metadata. A
sender can exploit this by inserting a large metadata segment with each
byte transferred. The chunk reader now produces an error if the ratio of
real body to encoded bytes grows too small.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | golang-1.20 | <ย 1.20.3-1ubuntu0.1~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | golang-1.20 | <ย 1.20.3-1ubuntu0.1~22.04.1 | UNKNOWN |
ubuntu | 23.04 | noarch | golang-1.20 | <ย 1.20.3-1ubuntu0.2 | UNKNOWN |
ubuntu | 23.10 | noarch | golang-1.20 | <ย 1.20.8-1ubuntu0.23.10.1 | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.21 | <ย 1.21.1-1~ubuntu20.04.2 | UNKNOWN |
ubuntu | 22.04 | noarch | golang-1.21 | <ย 1.21.1-1~ubuntu22.04.2 | UNKNOWN |
ubuntu | 23.04 | noarch | golang-1.21 | <ย 1.21.1-1~ubuntu23.04.2 | UNKNOWN |
ubuntu | 23.10 | noarch | golang-1.21 | <ย 1.21.1-1ubuntu0.23.10.1 | UNKNOWN |
github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd (go1.20.12)
github.com/golang/go/commit/ec8c526e4be720e94b98ca509e6364f0efaf28f7 (go1.21.5)
go.dev/issue/64433
launchpad.net/bugs/cve/CVE-2023-39326
nvd.nist.gov/vuln/detail/CVE-2023-39326
security-tracker.debian.org/tracker/CVE-2023-39326
ubuntu.com/security/notices/USN-6574-1
www.cve.org/CVERecord?id=CVE-2023-39326
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.7 Medium
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
19.3%