#VU70334 Allocation of Resources Without Limits or Throttling in Go programming language - CVE-2022-41717
Published: December 14, 2022 / Updated: February 8, 2023
Vulnerability identifier: #VU70334
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2022-41717
CWE-ID: CWE-770
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Go programming language
Go programming language
Software vendor:
Google
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Remediation
Install updates from vendor's website.