GHSA-hgr8-6h9x-f7q9

Suggest an improvement
Source
https://github.com/advisories/GHSA-hgr8-6h9x-f7q9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hgr8-6h9x-f7q9/GHSA-hgr8-6h9x-f7q9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hgr8-6h9x-f7q9
Aliases
Related
Published
2022-05-24T16:53:17Z
Modified
2024-05-20T21:30:32Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
golang.org/x/net/http vulnerable to ping floods
Details

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Specific Go Packages Affected

golang.org/x/net/http2

References

Affected packages

Go / golang.org/x/net

Package

Name
golang.org/x/net
View open source insights on deps.dev
Purl
pkg:golang/golang.org/x/net

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.0-20190813141303-74dc4d7220e7