ID CVE-2017-1000098
Summary The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.
References
Vulnerable Configurations
  • cpe:2.3:a:golang:go:1.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:golang:go:1.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:golang:go:1.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:golang:go:1.7.3:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 13-08-2018 - 21:47)
Impact:
Exploitability:
CWE CWE-769
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
assigner via4 cve@mitre.org
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
bugzilla
id 1455189
title CVE-2017-8932 golang: Elliptic curves carry propagation issue in x86-64 P-256
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhba:tst:20150364001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhba:tst:20150364002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhba:tst:20150364003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20150364004
  • OR
    • AND
      • comment golang is earlier than 0:1.8.3-1.el7
        oval oval:com.redhat.rhsa:tst:20171859007
      • comment golang is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20161538016
    • AND
      • comment golang-bin is earlier than 0:1.8.3-1.el7
        oval oval:com.redhat.rhsa:tst:20171859005
      • comment golang-bin is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20161538010
    • AND
      • comment golang-docs is earlier than 0:1.8.3-1.el7
        oval oval:com.redhat.rhsa:tst:20171859015
      • comment golang-docs is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20161538012
    • AND
      • comment golang-misc is earlier than 0:1.8.3-1.el7
        oval oval:com.redhat.rhsa:tst:20171859009
      • comment golang-misc is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20161538006
    • AND
      • comment golang-src is earlier than 0:1.8.3-1.el7
        oval oval:com.redhat.rhsa:tst:20171859011
      • comment golang-src is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20161538008
    • AND
      • comment golang-tests is earlier than 0:1.8.3-1.el7
        oval oval:com.redhat.rhsa:tst:20171859013
      • comment golang-tests is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20161538014
rhsa
id RHSA-2017:1859
released 2017-08-01
severity Moderate
title RHSA-2017:1859: golang security, bug fix, and enhancement update (Moderate)
rpms
  • golang-0:1.8.3-1.el7
  • golang-bin-0:1.8.3-1.el7
  • golang-docs-0:1.8.3-1.el7
  • golang-misc-0:1.8.3-1.el7
  • golang-src-0:1.8.3-1.el7
  • golang-tests-0:1.8.3-1.el7
refmap via4
confirm
vulnerable_product via4
  • cpe:2.3:a:golang:go:1.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:golang:go:1.7.3:*:*:*:*:*:*:*
Last major update 13-08-2018 - 21:47
Published 05-10-2017 - 01:29
Back to Top