DoS via Header Parsing Over-Allocation in HTTP/MIME Processing
CVE-2023-24534 Published on April 6, 2023

Excessive memory allocation in net/http and net/textproto
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.

Github Repository NVD

Vulnerability Analysis

CVE-2023-24534 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2023-24534 has been classified to as a Resource Exhaustion vulnerability or weakness.


Products Associated with CVE-2023-24534

stack.watch emails you whenever new vulnerabilities are published in GoLang Go or Canonical Ubuntu Linux. Just hit a watch button to start following.

GoLang Go
 
Canonical Ubuntu Linux
 

Affected Versions

Go standard library net/textproto:

Exploit Probability

EPSS
0.05%
Percentile
14.66%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.