Description

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

INFO

Published Date :

2024-04-04T20:37:30.714Z

Last Modified :

2025-11-04T18:17:43.583Z

Source :

Go
AFFECTED PRODUCTS

The following products are affected by CVE-2023-45288 vulnerability.

Vendors Products
Go Standard Library
  • Net\/http
Golang
  • Http2
Redhat
  • Acm
  • Advanced Cluster Security
  • Ansible Automation Platform
  • Ceph Storage
  • Cert Manager
  • Container Native Virtualization
  • Cryostat
  • Devtools
  • Enterprise Linux
  • Logging
  • Migration Toolkit Applications
  • Openshift
  • Openshift Api Data Protection
  • Openshift Builds
  • Openshift Custom Metrics Autoscaler
  • Openshift Devspaces
  • Openshift Distributed Tracing
  • Openshift Gitops
  • Openshift Pipelines
  • Openshift Secondary Scheduler
  • Openstack
  • Rhel Aus
  • Rhel E4s
  • Rhel Eus
  • Rhel Tus
  • Rhmt
  • Run Once Duration Override Operator
  • Serverless
  • Service Interconnect
  • Service Mesh
  • Stf

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact