Veracode Vulnerability DatabaseVERACODE:44637Denial Of Service (DoS)
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
6.4 Medium
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
19.3%
github.com/golang/go is vulnerable to Denial Of Service (DoS). The vulnerability exists because the readChunkLine function in chunked.go does not properly check the bytes from the request or response body. A malicious attacker can exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. This may lead to an application crash by inserting large metadata segments within the HTTP header.
References
github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd
github.com/golang/go/commit/ec8c526e4be720e94b98ca509e6364f0efaf28f7
github.com/golang/go/issues/64433
go-review.googlesource.com/c/go/+/547335
go.dev/cl/547335
go.dev/issue/64433
groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
lists.fedoraproject.org/archives/list/[email protected]/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/
pkg.go.dev/vuln/GO-2023-2382
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
6.4 Medium
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
19.3%