GoLang Http2
By the Year
In 2023 there have been 1 vulnerability in GoLang Http2 with an average score of 7.5 out of ten. Last year Http2 had 1 security vulnerability published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. However, the average CVE base score of the vulnerabilities in 2023 is greater by 2.20.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 1 | 7.50 |
| 2022 | 1 | 5.30 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Http2 vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent GoLang Http2 Security Vulnerabilities
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service
CVE-2022-41723
7.5 - High
- February 28, 2023
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
CVE-2022-41717
5.3 - Medium
- December 08, 2022
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Allocation of Resources Without Limits or Throttling
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Fedora Project Fedora or by GoLang? Click the Watch button to subscribe.
