Vulnerability Details : CVE-2023-24536
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.
Vulnerability category: Denial of service
Products affected by CVE-2023-24536
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-24536
0.75%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-24536
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-24536
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: security@golang.org (Secondary)
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-24536
-
https://security.netapp.com/advisory/ntap-20230526-0007/
April 2023 Golang Vulnerabilities in NetApp Products | NetApp Product Security
-
https://go.dev/cl/482076
net/textproto, mime/multipart: improve accounting of non-file data (482076) · Gerrit Code ReviewPatch
-
https://go.dev/cl/482075
mime/multipart: avoid excessive copy buffer allocations in ReadForm (482075) · Gerrit Code ReviewPatch
-
https://pkg.go.dev/vuln/GO-2023-1705
GO-2023-1705 - Go PackagesVendor Advisory
-
https://go.dev/cl/482077
mime/multipart: limit parsed mime message sizes (482077) · Gerrit Code ReviewPatch
-
https://security.gentoo.org/glsa/202311-09
Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security
-
https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
[security] Go 1.20.3 and Go 1.19.8 are releasedMailing List
-
https://go.dev/issue/59153
net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536) · Issue #59153 · golang/go · GitHubIssue Tracking;Patch
Jump to