brevo-go icon indicating copy to clipboard operation
brevo-go copied to clipboard

Published 20 hours ago verified publisher icon getbrevo

Security Issues in golang.org/x/net package

Open schadokar opened this issue 1 year ago • 0 comments

  1. golang.org/x/net/http2/h2c vulnerable to request smuggling attack
golang.org/x/net
(Go)
>= 0.0.0-20220524220425-1d687d428aca, < 0.1.1-0.20221104162952-702349b0e862
0.1.1-0.20221104162952-702349b0e862
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
  1. golang.org/x/net/http2 Denial of Service vulnerability

Package
Affected versions
Patched version
golang.org/x/net
(Go)
< 0.0.0-20220906165146-f3363e06e74c
0.0.0-20220906165146-f3363e06e74c
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
  1. Uncontrolled Resource Consumption
Package
Affected versions
Patched version
golang.org/x/net
(Go)
< 0.7.0
0.7.0
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

schadokar avatar Aug 20 '23 07:08 schadokar