Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2023-39326

UNKNOWN
Published 2023-12-06T16:27:53.832Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-39326. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Go standard library

net/http/internal

Affected Versions:

0 1.21.0-0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed MODERATE

GHSA-9f76-wg39-x86h

Advisory Details

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-39326
WEB https://go.dev/cl/547335
WEB https://go.dev/issue/64433
WEB https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G
WEB https://pkg.go.dev/vuln/GO-2023-2382

Advisory provided by GitHub Security Advisory Database. Published: December 6, 2023, Modified: December 12, 2023

References

https://go.dev/issue/64433
https://go.dev/cl/547335
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
https://pkg.go.dev/vuln/GO-2023-2382
https://lists.fedoraproject.org/archives/list/[email protected]/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/
Published: 2023-12-06T16:27:53.832Z
Last Modified: 2025-02-13T17:02:50.990Z
Copied to clipboard!