PT-2024-2621 · Go+11 · Net/Http2+12

Bartek Nowotarski

·

Publicado

2024-03-06

·

Atualizado

2026-06-04

·

CVE-2023-45288

CVSS v3.1

7.5

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Nome do software vulnerável e versões afetadas
net/http e net/http2 em Go (versões afetadas não especificadas)
Descrição
Um invasor pode fazer com que um ponto de extremidade HTTP/2 leia quantidades arbitrárias de dados de cabeçalho enviando um número excessivo de quadros CONTINUATION. A manutenção do estado HPACK requer a análise e o processamento de todos os quadros HEADERS e CONTINUATION em uma conexão. Quando os cabeçalhos de uma solicitação excedem o valor de MaxHeaderBytes, nenhuma memória é alocada para armazenar os cabeçalhos excedentes, mas eles ainda são analisados. Isso permite que um invasor faça com que um endpoint HTTP/2 leia quantidades arbitrárias de dados de cabeçalho, todos associados a uma solicitação que será rejeitada. Esses cabeçalhos podem incluir dados codificados em Huffman, cuja decodificação pelo destinatário é significativamente mais dispendiosa do que o envio pelo invasor.
Recomendações
No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

Exploit

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-400

Identificadores relacionados

ALSA-2024:1962
ALSA-2024:1963
ALSA-2024:2079
ALSA-2024:2562
ALSA-2024:2699
ALSA-2024:2724
ALSA-2024:3259
ALSA-2024:3346
ALT-PU-2024-11781
ALT-PU-2024-11872
ALT-PU-2024-12202
ALT-PU-2024-12410
ALT-PU-2024-13291
ALT-PU-2024-13881
ALT-PU-2024-13971
ALT-PU-2024-16593
ALT-PU-2024-16754
ALT-PU-2024-3504
ALT-PU-2024-4847
ALT-PU-2024-5071
ALT-PU-2024-5073
ALT-PU-2024-6864
ALT-PU-2024-7595
ALT-PU-2024-8466
ALT-PU-2024-8547
ALT-PU-2024-8810
ALT-PU-2024-9408
ALT-PU-2024-9897
ALT-PU-2025-13603
ALT-PU-2025-8447
AZL-38158
AZL-38173
AZL-38209
AZL-38233
AZL-38260
AZL-38281
AZL-38284
AZL-38302
AZL-38314
AZL-38338
AZL-38392
AZL-38395
AZL-38431
AZL-38473
AZL-38488
AZL-38503
AZL-38542
AZL-38569
AZL-38575
AZL-38581
AZL-38608
AZL-38623
AZL-38635
AZL-38659
AZL-38683
AZL-38692
AZL-38761
AZL-38785
AZL-38839
AZL-38878
AZL-38941
AZL-38950
AZL-38956
AZL-39004
AZL-39022
AZL-39154
AZL-39187
AZL-39202
AZL-39217
AZL-39223
AZL-39229
AZL-39232
AZL-39235
AZL-39238
AZL-39244
AZL-39259
AZL-39268
AZL-39274
AZL-39325
AZL-39334
AZL-39445
AZL-39463
AZL-39484
AZL-39487
AZL-39493
AZL-39505
AZL-39514
AZL-39550
AZL-39571
AZL-39625
AZL-39634
AZL-39678
AZL-39892
AZL-39984
AZL-42706
AZL-42864
AZL-43627
AZL-50336
BDU:2024-02688
BIT-GOLANG-2023-45288
CESA-2024_1962
CESA-2024_2699
CESA-2024_3259
CESA-2024_3346
CLEANSTART-2026-EJ93145
CLEANSTART-2026-HZ73294
CLEANSTART-2026-SQ68600
CVE-2023-45288
ECHO-326D-6F7D-C967
GHSA-4V7X-PQXF-CX7M
GHSA-QC6V-5G5M-8CW2
GO-2024-2687
INFSA-2024_2562
INFSA-2024_2724
INFSA-2024_3259
INFSA-2024_3346
MGASA-2024-0128
OESA-2024-1488
OESA-2025-1184
OESA-2025-1185
OESA-2025-1451
OPENSUSE-SU-2024:13822-1
OPENSUSE-SU-2024:13823-1
OPENSUSE-SU-2024:13824-1
OPENSUSE-SU-2024:13837-1
OPENSUSE-SU-2024:13880-1
OPENSUSE-SU-2024:13881-1
OPENSUSE-SU-2024:13882-1
OPENSUSE-SU-2024:13903-1
OPENSUSE-SU-2024:13905-1
OPENSUSE-SU-2024:13927-1
OPENSUSE-SU-2024:13989-1
OPENSUSE-SU-2024:14053-1
OPENSUSE-SU-2024:14076-1
OPENSUSE-SU-2024:14399-1
OPENSUSE-SU-2024:14400-1
OPENSUSE-SU-2024_1121-1
OPENSUSE-SU-2024_1122-1
OPENSUSE-SU-2024_3089-1
OPENSUSE-SU-2024_3097-1
OPENSUSE-SU-2024_3098-1
OPENSUSE-SU-2024_3155-1
OPENSUSE-SU-2024_3341-1
OPENSUSE-SU-2024_3342-1
OPENSUSE-SU-2024_3343-1
OPENSUSE-SU-2024_3344-1
OPENSUSE-SU-2024_3755-1
OPENSUSE-SU-2025:14709-1
OPENSUSE-SU-2025:14714-1
OPENSUSE-SU-2025:14744-1
OPENSUSE-SU-2025:14990-1
OPENSUSE-SU-2025:15075-1
OPENSUSE-SU-2025:15145-1
OPENSUSE-SU-2025:15162-1
OPENSUSE-SU-2025_0299-1
OPENSUSE-SU-2025_0313-1
OPENSUSE-SU-2025_0420-1
OPENSUSE-SU-2025_0458-1
OPENSUSE-SU-2025_0558-1
OPENSUSE-SU-2025_0579-1
OPENSUSE-SU-2025_0581-1
OPENSUSE-SU-2025_0775-1
OPENSUSE-SU-2025_0813-1
OPENSUSE-SU-2025_1332-1
OPENSUSE-SU-2026:10090-1
OPENSUSE-SU-2026:10921-1
OPENSUSE-SU-2026:20609-1
RHSA-2024:1892
RHSA-2024:1897
RHSA-2024:1899
RHSA-2024:1962
RHSA-2024:1963
RHSA-2024:2049
RHSA-2024:2079
RHSA-2024:2562
RHSA-2024:2625
RHSA-2024:2667
RHSA-2024:2671
RHSA-2024:2672
RHSA-2024:2699
RHSA-2024:2724
RHSA-2024:2729
RHSA-2024:2892
RHSA-2024:2935
RHSA-2024:2936
RHSA-2024:3259
RHSA-2024:3346
RHSA-2024:3352
RHSA-2024:3467
RHSA-2024:3781
RHSA-2024:4023
RHSA-2024:4125
RHSA-2024:4146
RHSA-2024:4543
RHSA-2024:4545
RHSA-2024:4546
RHSA-2024:4933
RHSA-2024:4934
RHSA-2024_1962
RHSA-2024_1963
RHSA-2024_2079
RHSA-2024_2562
RHSA-2024_2625
RHSA-2024_2699
RHSA-2024_2724
RHSA-2024_3259
RHSA-2024_3346
RLSA-2024:1962
RLSA-2024:2562
RLSA-2024:2699
RLSA-2024:2724
RLSA-2024:3259
RLSA-2024:3346
SUSE-SU-2024:1121-1
SUSE-SU-2024:1122-1
SUSE-SU-2024:1160-1
SUSE-SU-2024:1161-1
SUSE-SU-2024:2108-1
SUSE-SU-2024:3089-1
SUSE-SU-2024:3097-1
SUSE-SU-2024:3098-1
SUSE-SU-2024:3155-1
SUSE-SU-2024:3188-1
SUSE-SU-2024:3341-1
SUSE-SU-2024:3342-1
SUSE-SU-2024:3343-1
SUSE-SU-2024:3344-1
SUSE-SU-2024:3755-1
SUSE-SU-2024:3772-1
SUSE-SU-2024:3938-1
SUSE-SU-2024_1121-1
SUSE-SU-2024_1122-1
SUSE-SU-2024_1160-1
SUSE-SU-2024_1161-1
SUSE-SU-2024_2108-1
SUSE-SU-2024_3155-1
SUSE-SU-2025:01985-1
SUSE-SU-2025:01987-1
SUSE-SU-2025:01988-1
SUSE-SU-2025:01989-1
SUSE-SU-2025:01990-1
SUSE-SU-2025:01991-1
SUSE-SU-2025:01992-1
SUSE-SU-2025:0295-1
SUSE-SU-2025:0299-1
SUSE-SU-2025:0306-1
SUSE-SU-2025:0313-1
SUSE-SU-2025:0318-1
SUSE-SU-2025:0342-1
SUSE-SU-2025:0346-1
SUSE-SU-2025:0420-1
SUSE-SU-2025:0458-1
SUSE-SU-2025:0558-1
SUSE-SU-2025:0579-1
SUSE-SU-2025:0581-1
SUSE-SU-2025:0775-1
SUSE-SU-2025:0813-1
SUSE-SU-2025:1332-1
SUSE-SU-2025:20091-1
SUSE-SU-2025:20143-1
SUSE-SU-2025:20179-1
SUSE-SU-2025:20279-1
SUSE-SU-2025:20363-1
SUSE-SU-2025_01987-1
SUSE-SU-2025_01988-1
SUSE-SU-2025_0299-1
SUSE-SU-2025_0313-1
SUSE-SU-2025_0420-1
SUSE-SU-2025_0458-1
SUSE-SU-2025_0581-1
SUSE-SU-2025_0775-1
SUSE-SU-2025_0813-1
SUSE-SU-2025_1332-1
SUSE-SU-2026:20483-1
SUSE-SU-2026:20486-1
USN-6886-1
USN-7109-1
USN-7111-1

Produtos afetados

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Net/Http
Net/Http2