x/vulndb: potential Go vuln in net/http: CVE-2022-41723

[tatianab]

CVE ID

No response

GHSA ID

No response

Additional information

net/http: avoid quadratic complexity in HPACK decoding

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually configuring HTTP/2.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.

[gopherbot]

Change https://go.dev/cl/468900 mentions this issue: data/reports: add GO-2023-1571.yaml

[gopherbot]

Change https://go.dev/cl/470375 mentions this issue: data/reports: add GHSAs for GO-2023-1571, GO-2023-1572

[gopherbot]

Change https://go.dev/cl/483195 mentions this issue: data/reports: update GO-2023-1571.yaml