Vulnerability Details : CVE-2017-1000098
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.
Products affected by CVE-2017-1000098
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-1000098
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 62 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-1000098
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-1000098
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-1000098
-
https://groups.google.com/forum/#!msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ
[security] Go 1.7.4 and Go 1.6.4 are released - Google GroepenMailing List;Third Party Advisory
-
https://golang.org/issue/17965
net/http: backport "multipart ReadForm close file after copy" to 1.7 · Issue #17965 · golang/go · GitHubIssue Tracking;Patch;Vendor Advisory
-
https://golang.org/cl/30410
Issue Tracking;Patch;Vendor Advisory
Jump to