As part of a class of vulnerabilities known as "HTTP/2 CONTINUATION Flood," an attacker can exploit the HTTP/2 protocol's CONTINUATION frame handling in certain implementations to cause a Denial-of-Service (DoS) attack by forcing an HTTP/2 endpoint to process and decode arbitrary amounts of header data. Maintaining 'HPACK' state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed 'MaxHeaderBytes', no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request that is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. This affects "golang.org/x/net/http2" versions prior to 0.23.0, and "net/http" versions prior to 1.21.9, and 1.22.0-x prior to 1.22.2.
HIGH Vulnerable Package issue exists @ golang.org/x/net in branch master
Description
As part of a class of vulnerabilities known as "HTTP/2 CONTINUATION Flood," an attacker can exploit the HTTP/2 protocol's CONTINUATION frame handling in certain implementations to cause a Denial-of-Service (DoS) attack by forcing an HTTP/2 endpoint to process and decode arbitrary amounts of header data. Maintaining 'HPACK' state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed 'MaxHeaderBytes', no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request that is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. This affects "golang.org/x/net/http2" versions prior to 0.23.0, and "net/http" versions prior to 1.21.9, and 1.22.0-x prior to 1.22.2.
HIGH Vulnerable Package issue exists @ golang.org/x/net in branch master
Vulnerability ID: CVE-2023-45288
Package Name: golang.org/x/net
Severity: HIGH
CVSS Score: 7.5
Publish Date: 2024-04-04T21:15:00
Current Package Version: f5854403a974
Remediation Upgrade Recommendation: v0.1.1-0.20221020150923-da05058a0390
Link To SCA
Reference – NVD link