CVE-2022-41723

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
Affected Products (NVD)
VendorProductVersion
golanggo
𝑥
< 1.19.6
golanggo
1.20.0
golanghpack
𝑥
< 0.7.0
golanghttp2
𝑥
< 0.7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
vulnerable
buster
postponed
golang-1.19
bookworm
1.19.8-2
fixed
bullseye
no-dsa
buster
postponed
golang-golang-x-net
bookworm
1:0.7.0+dfsg-1
fixed
bullseye
no-dsa
buster
postponed
sid
1:0.27.0-1
fixed
trixie
1:0.27.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
containerd
bionic
not-affected
focal
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
not-affected
golang
bionic
dne
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
ignored
xenial
dne
golang-1.10
bionic
needed
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
needed
xenial
needed
golang-1.13
bionic
needed
focal
needed
jammy
needed
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
needed
golang-1.14
bionic
dne
focal
needed
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.16
bionic
needed
focal
needed
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.17
bionic
dne
focal
dne
jammy
needed
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.18
bionic
needed
focal
needed
jammy
needed
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
needed
golang-1.19
bionic
dne
focal
dne
jammy
dne
lunar
not-affected
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.20
bionic
dne
focal
not-affected
jammy
not-affected
lunar
not-affected
mantic
not-affected
noble
dne
trusty
dne
xenial
dne
golang-1.21
bionic
dne
focal
not-affected
jammy
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
dne
golang-1.6
bionic
dne
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
ignored
xenial
needed
golang-1.8
bionic
needed
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.9
bionic
needed
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-golang-x-net
bionic
dne
focal
dne
jammy
needed
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
ignored
google-guest-agent
bionic
needed
focal
Fixed 20231004.02-0ubuntu1~20.04.3
released
jammy
Fixed 20231004.02-0ubuntu1~22.04.3
released
kinetic
ignored
lunar
ignored
mantic
Fixed 20230426.00-0ubuntu2
released
noble
Fixed 20230426.00-0ubuntu2
released
trusty
dne
xenial
needed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
container-suseconnect
suse enterprise sap 15 SP1
2.4.0-150000.4.24.1
fixed
suse enterprise sap 15 SP2
2.4.0-150000.4.24.1
fixed
suse enterprise sap 15 SP4
2.4.0-150000.4.24.1
fixed
suse enterprise sap 15 SP5
2.4.0-150000.4.24.1
fixed
suse enterprise sap 15 SP6
2.4.0-150000.4.24.1
fixed
suse enterprise sap 15 SP7
2.4.0-150000.4.24.1
fixed
suse enterprise server 15 SP1
2.4.0-150000.4.24.1
fixed
suse enterprise server 15 SP2
2.4.0-150000.4.24.1
fixed
suse enterprise server 15 SP3
2.4.0-150000.4.24.1
fixed
suse enterprise server 15 SP4
2.4.0-150000.4.24.1
fixed
suse enterprise server 15 SP5
2.4.0-150000.4.24.1
fixed
suse enterprise server 15 SP6
2.4.0-150000.4.24.1
fixed
suse enterprise server 15 SP7
2.4.0-150000.4.24.1
fixed
helm
suse enterprise desktop 15 SP7
3.13.1-150000.1.26.1
fixed
suse enterprise sap 15 SP4
3.13.1-150000.1.26.1
fixed
suse enterprise sap 15 SP5
3.13.1-150000.1.26.1
fixed
suse enterprise sap 15 SP6
3.13.1-150000.1.26.1
fixed
suse enterprise sap 15 SP7
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP3
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP4
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP5
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP6
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP7
3.13.1-150000.1.26.1
fixed
helm-bash-completion
suse enterprise sap 15 SP4
3.13.1-150000.1.26.1
fixed
suse enterprise sap 15 SP5
3.13.1-150000.1.26.1
fixed
suse enterprise sap 15 SP6
3.13.1-150000.1.26.1
fixed
suse enterprise sap 15 SP7
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP3
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP4
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP5
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP6
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP7
3.13.1-150000.1.26.1
fixed
helm-zsh-completion
suse enterprise sap 15 SP4
3.13.1-150000.1.26.1
fixed
suse enterprise sap 15 SP5
3.13.1-150000.1.26.1
fixed
suse enterprise sap 15 SP6
3.13.1-150000.1.26.1
fixed
suse enterprise sap 15 SP7
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP3
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP4
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP5
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP6
3.13.1-150000.1.26.1
fixed
suse enterprise server 15 SP7
3.13.1-150000.1.26.1
fixed
supportutils-plugin-salt
suse enterprise desktop 15 SP7
1.2.2-150000.3.13.1
fixed
suse enterprise sap 15 SP1
1.2.2-150000.3.13.1
fixed
suse enterprise sap 15 SP2
1.2.2-150000.3.13.1
fixed
suse enterprise sap 15 SP7
1.2.2-150000.3.13.1
fixed
suse enterprise server 15 SP1
1.2.2-150000.3.13.1
fixed
suse enterprise server 15 SP2
1.2.2-150000.3.13.1
fixed
suse enterprise server 15 SP3
1.2.2-150000.3.13.1
fixed
suse enterprise server 15 SP4
1.2.2-150000.3.13.1
fixed
suse enterprise server 15 SP7
1.2.2-150000.3.13.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
buildah
RHEL 9
1:1.31.3-1.el9
fixed
buildah-tests
RHEL 9
1:1.31.3-1.el9
fixed
containernetworking-plugins
RHEL 9
1:1.3.0-4.el9
fixed
golang
RHEL 9
0:1.19.6-2.el9_2
fixed
golang-bin
RHEL 9
0:1.19.6-2.el9_2
fixed
golang-docs
RHEL 9
0:1.19.6-2.el9_2
fixed
golang-misc
RHEL 9
0:1.19.6-2.el9_2
fixed
golang-race
RHEL 9
0:1.19.6-2.el9_2
fixed
golang-src
RHEL 9
0:1.19.6-2.el9_2
fixed
golang-tests
RHEL 9
0:1.19.6-2.el9_2
fixed
podman
RHEL 9
2:4.6.1-5.el9
fixed
podman-docker
RHEL 9
2:4.6.1-5.el9
fixed
podman-gvproxy
RHEL 9
2:4.6.1-5.el9
fixed
podman-plugins
RHEL 9
2:4.6.1-5.el9
fixed
podman-remote
RHEL 9
2:4.6.1-5.el9
fixed
podman-tests
RHEL 9
2:4.6.1-5.el9
fixed
skopeo
RHEL 9
2:1.13.3-1.el9
fixed
skopeo-tests
RHEL 9
2:1.13.3-1.el9
fixed
toolbox
RHEL 9
0:0.0.99.4-6.el9_3
fixed
toolbox-tests
RHEL 9
0:0.0.99.4-6.el9_3
fixed
References
https://go.dev/cl/468135
https://go.dev/cl/468295
https://go.dev/issue/57855
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/
https://pkg.go.dev/vuln/GO-2023-1571
https://security.gentoo.org/glsa/202311-09
https://www.couchbase.com/alerts/
https://go.dev/cl/468135
https://go.dev/cl/468295
https://go.dev/issue/57855
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/
https://pkg.go.dev/vuln/GO-2023-1571
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20230331-0010/
https://www.couchbase.com/alerts/