data/reports: add GO-2022-1144.yaml

tatianab · Tatiana Bradley · commit 92d928682a0c · 2022-12-08T19:01:21.000Z
Aliases: CVE-2022-41717 Updates #1144 Change-Id: I7ac8c7020a91486cea5dbf5895f7566b6cd94919 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/456057 Reviewed-by: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Tatiana Bradley <tatiana@golang.org>
diff --git a/data/cve/v5/GO-2022-1144.json b/data/cve/v5/GO-2022-1144.json
@@ -0,0 +1,131 @@
+{
+  "dataType": "CVE_RECORD",
+  "dataVersion": "5.0",
+  "cveMetadata": {
+    "cveId": "CVE-2022-41717"
+  },
+  "containers": {
+    "cna": {
+      "providerMetadata": {
+        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+      },
+      "descriptions": [
+        {
+          "lang": "en",
+          "value": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection."
+        }
+      ],
+      "affected": [
+        {
+          "vendor": "Go standard library",
+          "product": "net/http",
+          "collectionURL": "https://pkg.go.dev",
+          "packageName": "net/http",
+          "versions": [
+            {
+              "version": "0",
+              "lessThan": "1.18.9",
+              "status": "affected",
+              "versionType": "semver"
+            },
+            {
+              "version": "1.19.0",
+              "lessThan": "1.19.4",
+              "status": "affected",
+              "versionType": "semver"
+            }
+          ],
+          "programRoutines": [
+            {
+              "name": "http2serverConn.canonicalHeader"
+            },
+            {
+              "name": "ListenAndServe"
+            },
+            {
+              "name": "ListenAndServeTLS"
+            },
+            {
+              "name": "Serve"
+            },
+            {
+              "name": "ServeTLS"
+            },
+            {
+              "name": "Server.ListenAndServe"
+            },
+            {
+              "name": "Server.ListenAndServeTLS"
+            },
+            {
+              "name": "Server.Serve"
+            },
+            {
+              "name": "Server.ServeTLS"
+            },
+            {
+              "name": "http2Server.ServeConn"
+            }
+          ],
+          "defaultStatus": "unaffected"
+        },
+        {
+          "vendor": "golang.org/x/net",
+          "product": "golang.org/x/net/http2",
+          "collectionURL": "https://pkg.go.dev",
+          "packageName": "golang.org/x/net/http2",
+          "versions": [
+            {
+              "version": "0",
+              "lessThan": "0.4.0",
+              "status": "affected",
+              "versionType": "semver"
+            }
+          ],
+          "programRoutines": [
+            {
+              "name": "serverConn.canonicalHeader"
+            },
+            {
+              "name": "Server.ServeConn"
+            }
+          ],
+          "defaultStatus": "unaffected"
+        }
+      ],
+      "problemTypes": [
+        {
+          "descriptions": [
+            {
+              "lang": "en",
+              "description": "CWE 400: Uncontrolled Resource Consumption"
+            }
+          ]
+        }
+      ],
+      "references": [
+        {
+          "url": "https://go.dev/issue/56350"
+        },
+        {
+          "url": "https://go.dev/cl/455717"
+        },
+        {
+          "url": "https://go.dev/cl/455635"
+        },
+        {
+          "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
+        },
+        {
+          "url": "https://pkg.go.dev/vuln/GO-2022-1144"
+        }
+      ],
+      "credits": [
+        {
+          "lang": "en",
+          "value": "Josselin Costanzi"
+        }
+      ]
+    }
+  }
+}
diff --git a/data/osv/GO-2022-1144.json b/data/osv/GO-2022-1144.json
@@ -0,0 +1,115 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2022-1144",
+  "published": "0001-01-01T00:00:00Z",
+  "modified": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2022-41717"
+  ],
+  "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
+  "affected": [
+    {
+      "package": {
+        "name": "stdlib",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.18.9"
+            },
+            {
+              "introduced": "1.19.0"
+            },
+            {
+              "fixed": "1.19.4"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "url": "https://pkg.go.dev/vuln/GO-2022-1144"
+      },
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "net/http",
+            "symbols": [
+              "ListenAndServe",
+              "ListenAndServeTLS",
+              "Serve",
+              "ServeTLS",
+              "Server.ListenAndServe",
+              "Server.ListenAndServeTLS",
+              "Server.Serve",
+              "Server.ServeTLS",
+              "http2Server.ServeConn",
+              "http2serverConn.canonicalHeader"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "golang.org/x/net",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.4.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "url": "https://pkg.go.dev/vuln/GO-2022-1144"
+      },
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "golang.org/x/net/http2",
+            "symbols": [
+              "Server.ServeConn",
+              "serverConn.canonicalHeader"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://go.dev/issue/56350"
+    },
+    {
+      "type": "FIX",
+      "url": "https://go.dev/cl/455717"
+    },
+    {
+      "type": "FIX",
+      "url": "https://go.dev/cl/455635"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Josselin Costanzi"
+    }
+  ]
+}
diff --git a/data/reports/GO-2022-1144.yaml b/data/reports/GO-2022-1144.yaml
@@ -0,0 +1,48 @@
+modules:
+  - module: std
+    versions:
+      - fixed: 1.18.9
+      - introduced: 1.19.0
+        fixed: 1.19.4
+    vulnerable_at: 1.19.3
+    packages:
+      - package: net/http
+        symbols:
+          - http2serverConn.canonicalHeader
+        derived_symbols:
+          - ListenAndServe
+          - ListenAndServeTLS
+          - Serve
+          - ServeTLS
+          - Server.ListenAndServe
+          - Server.ListenAndServeTLS
+          - Server.Serve
+          - Server.ServeTLS
+          - http2Server.ServeConn
+  - module: golang.org/x/net
+    versions:
+      - fixed: 0.4.0
+    vulnerable_at: 0.3.0
+    packages:
+      - package: golang.org/x/net/http2
+        symbols:
+          - serverConn.canonicalHeader
+        derived_symbols:
+          - Server.ServeConn
+description: |
+    An attacker can cause excessive memory growth in a Go server accepting
+    HTTP/2 requests.
+
+    HTTP/2 server connections contain a cache of HTTP header keys sent by the
+    client. While the total number of entries in this cache is capped, an
+    attacker sending very large keys can cause the server to allocate
+    approximately 64 MiB per open connection.
+credit: Josselin Costanzi
+references:
+  - report: https://go.dev/issue/56350
+  - fix: https://go.dev/cl/455717
+  - fix: https://go.dev/cl/455635
+  - web: https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
+cve_metadata:
+    id: CVE-2022-41717
+    cwe: 'CWE 400: Uncontrolled Resource Consumption'
