CVE-2023-24534

Aliases:GO-2023-1704BIT-golang-2023-24534

Advisory lineage Upstream: 0 Downstream: 35

Downstream

DEBIAN-CVE-2023-24534 MGASA-2023-0145 OPENSUSE-SU-2024:12841-1 OPENSUSE-SU-2024:12845-1 OPENSUSE-SU-2024:13007-1 OPENSUSE-SU-2024:14076-1

Modified

Published: 06 Apr 2023, 15:50

Last modified:13 Feb 2025, 16:44

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.16% LOW

0% probability +0.11%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

06 Apr 2023, 15:50

Published

Vulnerability first disclosed

13 Feb 2025, 16:44

Last Modified

Vulnerability information updated

Description

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.16%• Percentile: 37%

Techniques & Countermeasures

CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

go standard library•net/textproto
< 1.19.8 | ≥ 1.20.0-0, < 1.20.3
golang•go
< 1.19.8 | ≥ 1.20.0, < 1.20.3
Go•stdlib
≥ 1.20.0-0, < 1.20.3