Skip to content

Commit 6b74168

Browse files
committed
data/reports: update GO-2023-2102.yaml
Move CVE-2023-44487 (catch-all for HTTP/2 rapid reset) from "cves" to "related". Updates #2102 Change-Id: Ic420f27cb55ab46f131957dcf941744aae3e0af0 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545204 Reviewed-by: Damien Neil <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
1 parent 6272ba4 commit 6b74168

File tree

2 files changed

+5
-3
lines changed

2 files changed

+5
-3
lines changed

data/osv/GO-2023-2102.json

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,12 @@
44
"modified": "0001-01-01T00:00:00Z",
55
"published": "0001-01-01T00:00:00Z",
66
"aliases": [
7-
"CVE-2023-44487",
87
"CVE-2023-39325",
98
"GHSA-4374-p667-p6c8"
109
],
10+
"related": [
11+
"CVE-2023-44487"
12+
],
1113
"summary": "HTTP/2 rapid reset can cause excessive work in net/http",
1214
"details": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.\n\nWith the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.\n\nThis issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.\n\nThe default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.",
1315
"affected": [

data/reports/GO-2023-2102.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -57,10 +57,10 @@ description: |-
5757
The default stream concurrency limit is 250 streams (requests) per HTTP/2
5858
connection. This value may be adjusted using the golang.org/x/net/http2 package;
5959
see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
60-
cves:
61-
- CVE-2023-44487
6260
ghsas:
6361
- GHSA-4374-p667-p6c8
62+
related:
63+
- CVE-2023-44487
6464
references:
6565
- report: https://go.dev/issue/63417
6666
- fix: https://go.dev/cl/534215

0 commit comments

Comments
 (0)