The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
This was flagged in a Snyk security report, and the package appears to be a downstream dependency of golang.org/x/crypto to the best of my ability to determine. The dependencies for this package in go.mod appear to be pointing to specific commits, so I'm not sure what the history is there, and what the best path for remediation is.
golang.org//grpc versions <1.56.3 >=1.57.0 <1.57.1 >=1.58.0 <1.58.3 are vulnerable to https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328
This was flagged in a Snyk security report, and the package appears to be a downstream dependency of
golang.org/x/cryptoto the best of my ability to determine. The dependencies for this package ingo.modappear to be pointing to specific commits, so I'm not sure what the history is there, and what the best path for remediation is.https://www.cve.org/CVERecord?id=CVE-2023-44487 https://www.mend.io/vulnerability-database/CVE-2023-44487