CVE-2023-45288

EUVD-2024-1094
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
go_standard_librarynet/http
𝑥
< 1.21.9
ADP
go_standard_librarynet/http
1.22.0-0 ≤
𝑥
< 1.22.2
ADP
golanghttp2
𝑥
< 0.23.0
ADP
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bookworm
no-dsa
bullseye
vulnerable
buster
postponed
golang-1.19
bookworm
vulnerable
bullseye
no-dsa
buster
postponed
golang-1.22
bookworm
no-dsa
bullseye
no-dsa
buster
postponed
sid
1.22.10-1
fixed
trixie
1.22.10-1
fixed
golang-golang-x-net
bookworm
no-dsa
bullseye
no-dsa
buster
postponed
sid
1:0.27.0-1
fixed
trixie
1:0.27.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
golang-1.10
bionic
needs-triage
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
trusty
ignored
xenial
needs-triage
golang-1.13
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
mantic
dne
noble
dne
oracular
dne
xenial
needs-triage
golang-1.14
focal
needs-triage
jammy
dne
mantic
dne
noble
dne
oracular
dne
golang-1.16
bionic
needs-triage
focal
needs-triage
jammy
dne
mantic
dne
noble
dne
oracular
dne
golang-1.17
focal
dne
jammy
Fixed 1.17.13-3ubuntu1.3
released
mantic
dne
noble
dne
oracular
dne
golang-1.18
bionic
Fixed 1.18.1-1ubuntu1~18.04.4+esm1
released
focal
Fixed 1.18.1-1ubuntu1~20.04.3
released
jammy
Fixed 1.18.1-1ubuntu1.2
released
mantic
dne
noble
dne
oracular
dne
xenial
Fixed 1.18.1-1ubuntu1~16.04.6+esm1
released
golang-1.19
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
golang-1.20
focal
needs-triage
jammy
needs-triage
mantic
ignored
noble
dne
oracular
dne
golang-1.21
focal
Fixed 1.21.1-1~ubuntu20.04.3
released
jammy
Fixed 1.21.1-1~ubuntu22.04.3
released
mantic
ignored
noble
not-affected
oracular
dne
golang-1.22
focal
not-affected
jammy
not-affected
mantic
not-affected
noble
not-affected
oracular
not-affected
golang-1.6
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
xenial
needs-triage
golang-1.8
bionic
needs-triage
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
golang-1.9
bionic
needs-triage
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
buildah
suse enterprise sap 15 SP6
1.35.5-150500.3.28.1
fixed
suse enterprise sap 15 SP7
1.35.5-150500.3.28.1
fixed
suse enterprise server 15 SP2
1.25.1-150100.3.28.1
fixed
suse enterprise server 15 SP3
1.35.5-150300.8.36.1
fixed
suse enterprise server 15 SP4
1.35.5-150400.3.39.1
fixed
suse enterprise server 15 SP6
1.35.5-150500.3.28.1
fixed
suse enterprise server 15 SP7
1.35.5-150500.3.28.1
fixed
containerd
suse enterprise desktop 15 SP7
1.7.17-150000.111.3
fixed
suse enterprise sap 15 SP5
1.7.17-150000.111.3
fixed
suse enterprise sap 15 SP6
1.7.17-150000.111.3
fixed
suse enterprise sap 15 SP7
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP2
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP3
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP4
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP5
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP6
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP7
1.7.17-150000.111.3
fixed
containerd-ctr
suse enterprise sap 15 SP5
1.7.17-150000.111.3
fixed
suse enterprise sap 15 SP6
1.7.17-150000.111.3
fixed
suse enterprise sap 15 SP7
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP2
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP3
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP4
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP5
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP6
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP7
1.7.17-150000.111.3
fixed
containerd-devel
suse enterprise sap 15 SP5
1.7.17-150000.111.3
fixed
suse enterprise sap 15 SP6
1.7.17-150000.111.3
fixed
suse enterprise sap 15 SP7
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP4
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP5
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP6
1.7.17-150000.111.3
fixed
suse enterprise server 15 SP7
1.7.17-150000.111.3
fixed
containerized-data-importer-manifests
suse enterprise sap 15 SP7
1.64.0-150700.9.11.1
fixed
suse enterprise server 15 SP7
1.64.0-150700.9.11.1
fixed
golang-github-prometheus-node_exporter
suse enterprise desktop 15 SP6
1.9.1-150100.3.35.2
fixed
suse enterprise desktop 15 SP7
1.9.1-150100.3.35.2
fixed
suse enterprise sap 15 SP6
1.9.1-150100.3.35.2
fixed
suse enterprise sap 15 SP7
1.9.1-150100.3.35.2
fixed
suse enterprise server 15 SP2
1.9.1-150100.3.35.2
fixed
suse enterprise server 15 SP3
1.9.1-150100.3.35.2
fixed
suse enterprise server 15 SP4
1.9.1-150100.3.35.2
fixed
suse enterprise server 15 SP5
1.9.1-150100.3.35.2
fixed
suse enterprise server 15 SP6
1.9.1-150100.3.35.2
fixed
suse enterprise server 15 SP7
1.9.1-150100.3.35.2
fixed
google-guest-agent
suse enterprise sap 12
20260529.00-1.61.1
fixed
suse enterprise sap 12 SP3
20260529.00-1.61.1
fixed
suse enterprise sap 12 SP4
20260529.00-1.61.1
fixed
suse enterprise sap 12 SP5
20260529.00-1.61.1
fixed
suse enterprise sap 15 SP4
20260529.00-150000.1.70.1
fixed
suse enterprise sap 15 SP5
20260529.00-150000.1.70.1
fixed
suse enterprise sap 15 SP6
20260529.00-150000.1.70.1
fixed
suse enterprise sap 15 SP7
20260529.00-150000.1.70.1
fixed
suse enterprise server 12
20260529.00-1.61.1
fixed
suse enterprise server 12 SP3
20260529.00-1.61.1
fixed
suse enterprise server 12 SP4
20260529.00-1.61.1
fixed
suse enterprise server 12 SP5
20260529.00-1.61.1
fixed
suse enterprise server 15 SP4
20260529.00-150000.1.70.1
fixed
suse enterprise server 15 SP5
20260529.00-150000.1.70.1
fixed
suse enterprise server 15 SP6
20260529.00-150000.1.70.1
fixed
suse enterprise server 15 SP7
20260529.00-150000.1.70.1
fixed
podman
suse enterprise sap 15 SP6
4.9.5-150500.3.34.2
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.34.2
fixed
suse enterprise server 15 SP3
4.9.5-150300.9.43.1
fixed
suse enterprise server 15 SP4
4.9.5-150400.4.38.1
fixed
suse enterprise server 15 SP6
4.9.5-150500.3.34.2
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.34.2
fixed
podman-docker
suse enterprise sap 15 SP6
4.9.5-150500.3.34.2
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.34.2
fixed
suse enterprise server 15 SP4
4.9.5-150400.4.38.1
fixed
suse enterprise server 15 SP6
4.9.5-150500.3.34.2
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.34.2
fixed
podman-remote
suse enterprise sap 15 SP6
4.9.5-150500.3.34.2
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.34.2
fixed
suse enterprise server 15 SP3
4.9.5-150300.9.43.1
fixed
suse enterprise server 15 SP4
4.9.5-150400.4.38.1
fixed
suse enterprise server 15 SP6
4.9.5-150500.3.34.2
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.34.2
fixed
podmansh
suse enterprise sap 15 SP6
4.9.5-150500.3.34.2
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.34.2
fixed
suse enterprise server 15 SP6
4.9.5-150500.3.34.2
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.34.2
fixed
rekor
suse enterprise desktop 15 SP6
1.3.10-150400.4.25.1
fixed
suse enterprise desktop 15 SP7
1.3.10-150400.4.25.1
fixed
suse enterprise sap 15 SP6
1.3.10-150400.4.25.1
fixed
suse enterprise sap 15 SP7
1.3.10-150400.4.25.1
fixed
suse enterprise server 15 SP4
1.3.10-150400.4.25.1
fixed
suse enterprise server 15 SP5
1.3.10-150400.4.25.1
fixed
suse enterprise server 15 SP6
1.3.10-150400.4.25.1
fixed
suse enterprise server 15 SP7
1.3.10-150400.4.25.1
fixed
skopeo
suse enterprise desktop 15 SP6
1.14.4-150300.11.16.1
fixed
suse enterprise desktop 15 SP7
1.14.4-150300.11.16.1
fixed
suse enterprise sap 15 SP6
1.14.4-150300.11.16.1
fixed
suse enterprise sap 15 SP7
1.14.4-150300.11.16.1
fixed
suse enterprise server 15 SP2
1.14.4-150000.4.31.1
fixed
suse enterprise server 15 SP4
1.14.4-150300.11.16.1
fixed
suse enterprise server 15 SP6
1.14.4-150300.11.16.1
fixed
suse enterprise server 15 SP7
1.14.4-150300.11.16.1
fixed
skopeo-bash-completion
suse enterprise desktop 15 SP6
1.14.4-150300.11.16.1
fixed
suse enterprise desktop 15 SP7
1.14.4-150300.11.16.1
fixed
suse enterprise sap 15 SP6
1.14.4-150300.11.16.1
fixed
suse enterprise sap 15 SP7
1.14.4-150300.11.16.1
fixed
suse enterprise server 15 SP6
1.14.4-150300.11.16.1
fixed
suse enterprise server 15 SP7
1.14.4-150300.11.16.1
fixed
skopeo-zsh-completion
suse enterprise desktop 15 SP6
1.14.4-150300.11.16.1
fixed
suse enterprise desktop 15 SP7
1.14.4-150300.11.16.1
fixed
suse enterprise sap 15 SP6
1.14.4-150300.11.16.1
fixed
suse enterprise sap 15 SP7
1.14.4-150300.11.16.1
fixed
suse enterprise server 15 SP6
1.14.4-150300.11.16.1
fixed
suse enterprise server 15 SP7
1.14.4-150300.11.16.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
git-lfs
RHEL 9
0:3.4.1-2.el9_4
fixed
go-toolset
RHEL 9
0:1.21.9-2.el9_4
fixed
golang
RHEL 9
0:1.21.9-2.el9_4
fixed
golang-bin
RHEL 9
0:1.21.9-2.el9_4
fixed
golang-docs
RHEL 9
0:1.21.9-2.el9_4
fixed
golang-misc
RHEL 9
0:1.21.9-2.el9_4
fixed
golang-src
RHEL 9
0:1.21.9-2.el9_4
fixed
golang-tests
RHEL 9
0:1.21.9-2.el9_4
fixed
rhc-worker-script
RHEL 7
0:0.8-1.el7_9
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
amazon-cloudwatch-agent
Amazon Linux 2
0:1.300039.0-1.amzn2
fixed
Amazon Linux 2023
0:1.300039.0-1.amzn2023
fixed
amazon-ecr-credential-helper
Amazon Linux 2023
0:0.7.1-4.amzn2023
fixed
amazon-ssm-agent
Amazon Linux 1
0:3.3.859.0-1.amzn1
fixed
Amazon Linux 2
0:3.3.859.0-1.amzn2
fixed
Amazon Linux 2023
0:3.3.859.0-1.amzn2023
fixed
cni-plugins
Amazon Linux 2
0:1.2.0-1.amzn2.0.6
fixed
Amazon Linux 2023
0:1.2.0-1.amzn2023.0.5
fixed
cni-plugins-debuginfo
Amazon Linux 2
0:1.2.0-1.amzn2.0.6
fixed
Amazon Linux 2023
0:1.2.0-1.amzn2023.0.5
fixed
cni-plugins-debugsource
Amazon Linux 2023
0:1.2.0-1.amzn2023.0.5
fixed
cri-tools
Amazon Linux 2
0:1.29.0-1.amzn2.0.2
fixed
cri-tools-debuginfo
Amazon Linux 2
0:1.29.0-1.amzn2.0.2
fixed
ecs-init
Amazon Linux 2023
0:1.84.0-1.amzn2023
fixed
golang
Amazon Linux 2
0:1.22.3-1.amzn2.0.1
fixed
Amazon Linux 2023
0:1.22.3-1.amzn2023.0.1
fixed
golang-bin
Amazon Linux 2
0:1.22.3-1.amzn2.0.1
fixed
Amazon Linux 2023
0:1.22.3-1.amzn2023.0.1
fixed
golang-docs
Amazon Linux 2
0:1.22.3-1.amzn2.0.1
fixed
Amazon Linux 2023
0:1.22.3-1.amzn2023.0.1
fixed
golang-misc
Amazon Linux 2
0:1.22.3-1.amzn2.0.1
fixed
Amazon Linux 2023
0:1.22.3-1.amzn2023.0.1
fixed
golang-shared
Amazon Linux 2
0:1.22.3-1.amzn2.0.1
fixed
Amazon Linux 2023
0:1.22.3-1.amzn2023.0.1
fixed
golang-src
Amazon Linux 2
0:1.22.3-1.amzn2.0.1
fixed
Amazon Linux 2023
0:1.22.3-1.amzn2023.0.1
fixed
golang-tests
Amazon Linux 2
0:1.22.3-1.amzn2.0.1
fixed
Amazon Linux 2023
0:1.22.3-1.amzn2023.0.1
fixed
golist
Amazon Linux 2
0:0.10.1-10.amzn2.0.5
fixed
golist-debuginfo
Amazon Linux 2
0:0.10.1-10.amzn2.0.5
fixed
nerdctl
Amazon Linux 2
0:1.7.6-1.amzn2.0.1
fixed
Amazon Linux 2023
0:1.7.6-1.amzn2023.0.1
fixed
nerdctl-debuginfo
Amazon Linux 2
0:1.7.6-1.amzn2.0.1
fixed
oci-add-hooks
Amazon Linux 2023
0:0-0.1.20200504git268e3bb.amzn2023.0.3
fixed
oci-add-hooks-debuginfo
Amazon Linux 2023
0:0-0.1.20200504git268e3bb.amzn2023.0.3
fixed
oci-add-hooks-debugsource
Amazon Linux 2023
0:0-0.1.20200504git268e3bb.amzn2023.0.3
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
application-gateway-kubernetes-ingress
Azure Linux 3.0
0:1.7.7-1.azl3
fixed
azcopy
Azure Linux 3.0
0:10.25.1-1.azl3
fixed
CBL-Mariner 2.0
0:10.24.0-1.cm2
fixed
blobfuse2
Azure Linux 3.0
0:2.3.0-1.azl3
fixed
CBL-Mariner 2.0
0:2.1.2-3.cm2
fixed
cert-manager
Azure Linux 3.0
0:1.12.12-1.azl3
fixed
CBL-Mariner 2.0
0:1.11.2-9.cm2
fixed
cf-cli
Azure Linux 3.0
0:8.7.3-6.azl3
fixed
containerd
Azure Linux 3.0
0:1.7.13-6.azl3
fixed
containerized-data-importer
Azure Linux 3.0
0:1.57.0-11.azl3
fixed
coredns
Azure Linux 3.0
0:1.11.1-2.azl3
fixed
CBL-Mariner 2.0
0:1.11.1-8.cm2
fixed
cri-tools
Azure Linux 3.0
0:1.30.1-1.azl3
fixed
CBL-Mariner 2.0
0:1.29.0-2.cm2
fixed
docker-buildx
Azure Linux 3.0
0:0.14.0-1.azl3
fixed
docker-cli
Azure Linux 3.0
0:25.0.7-1.azl3
fixed
docker-compose
Azure Linux 3.0
0:2.27.0-1.azl3
fixed
etcd
Azure Linux 3.0
0:3.5.18-1.azl3
fixed
CBL-Mariner 2.0
0:3.5.12-2.cm2
fixed
flannel
Azure Linux 3.0
0:0.24.2-10.azl3
fixed
gh
Azure Linux 3.0
0:2.62.0-1.azl3
fixed
git-lfs
Azure Linux 3.0
0:3.6.1-1.azl3
fixed
CBL-Mariner 2.0
0:3.5.1-1.cm2
fixed
helm
Azure Linux 3.0
0:3.15.2-1.azl3
fixed
CBL-Mariner 2.0
0:3.14.2-2.cm2
fixed
ig
Azure Linux 3.0
0:0.29.0-1.azl3
fixed
influxdb
Azure Linux 3.0
0:2.7.3-6.azl3
fixed
jx
Azure Linux 3.0
0:3.10.116-2.azl3
fixed
kata-containers
Azure Linux 3.0
0:3.2.0.azl4-1.azl3
fixed
CBL-Mariner 2.0
0:3.2.0.azl2-1.cm2
fixed
kata-containers-cc
Azure Linux 3.0
0:3.2.0.azl4-1.azl3
fixed
CBL-Mariner 2.0
0:3.2.0.azl2-1.cm2
fixed
kube-vip-cloud-provider
Azure Linux 3.0
0:0.0.10-1.azl3
fixed
kubernetes
Azure Linux 3.0
0:1.30.1-1.azl3
fixed
CBL-Mariner 2.0
0:0.0.0.cm2
fixed
kubevirt
Azure Linux 3.0
0:1.2.0-13.azl3
fixed
CBL-Mariner 2.0
0:0.59.0-16.cm2
fixed
kured
Azure Linux 3.0
0:1.15.0-2.azl3
fixed
CBL-Mariner 2.0
0:1.14.2-3.cm2
fixed
libcontainers-common
Azure Linux 3.0
0:20240213-2.azl3
fixed
local-path-provisioner
Azure Linux 3.0
0:0.0.24-3.azl3
fixed
moby-cli
CBL-Mariner 2.0
0:24.0.9-3.cm2
fixed
moby-compose
CBL-Mariner 2.0
0:2.17.3-3.cm2
fixed
moby-containerd
CBL-Mariner 2.0
0:1.6.26-5.cm2
fixed
moby-containerd-cc
Azure Linux 3.0
0:1.7.7-6.azl3
fixed
CBL-Mariner 2.0
0:1.7.7-4.cm2
fixed
moby-engine
Azure Linux 3.0
0:25.0.3-10.azl3
fixed
CBL-Mariner 2.0
0:24.0.9-2.cm2
fixed
multus
Azure Linux 3.0
0:4.0.2-3.azl3
fixed
CBL-Mariner 2.0
0:4.0.2-3.cm2
fixed
nmi
CBL-Mariner 2.0
0:1.8.17-2.cm2
fixed
node-problem-detector
Azure Linux 3.0
0:0.8.15-4.azl3
fixed
CBL-Mariner 2.0
0:0.8.17-3.cm2
fixed
opa
Azure Linux 3.0
0:0.63.0-1.azl3
fixed
CBL-Mariner 2.0
0:0.63.0-2.cm2
fixed
packer
CBL-Mariner 2.0
0:1.10.1-2.cm2
fixed
prometheus
Azure Linux 3.0
0:2.45.4-4.azl3
fixed
CBL-Mariner 2.0
0:2.37.9-2.cm2
fixed
prometheus-adapter
Azure Linux 3.0
0:0.12.0-1.azl3
fixed
prometheus-node-exporter
Azure Linux 3.0
0:1.7.0-2.azl3
fixed
skopeo
Azure Linux 3.0
0:1.14.4-3.azl3
fixed
CBL-Mariner 2.0
0:1.14.2-3.cm2
fixed
sriov-network-device-plugin
CBL-Mariner 2.0
0:3.6.2-3.cm2
fixed
telegraf
Azure Linux 3.0
0:1.31.0-1.azl3
fixed
CBL-Mariner 2.0
0:1.29.4-3.cm2
fixed
vitess
Azure Linux 3.0
0:19.0.4-2.azl3
fixed
CBL-Mariner 2.0
0:16.0.2-8.cm2
fixed