Vulnerability Name: | CVE-2022-41723 (CCN-247965) | ||||||||||||||||
Assigned: | 2022-09-28 | ||||||||||||||||
Published: | 2023-01-18 | ||||||||||||||||
Updated: | 2023-05-16 | ||||||||||||||||
Summary: | Golang Go is vulnerable to a denial of service, caused by a flaw in the HPACK decoder. By sending a specially-crafted HTTP/2 stream, a remote attacker could exploit this vulnerability to cause excessive CPU consumption, and results in a denial of service condition. | ||||||||||||||||
CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
| ||||||||||||||||
CVSS v2 Severity: | 7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
| ||||||||||||||||
Vulnerability Consequences: | Denial of Service | ||||||||||||||||
References: | Source: MITRE Type: CNA CVE-2022-41723 Source: XF Type: UNKNOWN golang-cve202241723-dos(247965) Source: CCN Type: Go GIT Repository net/http: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) #57855 Source: security@golang.org Type: Patch security@golang.org Source: security@golang.org Type: Patch security@golang.org Source: security@golang.org Type: Issue Tracking security@golang.org Source: security@golang.org Type: Mailing List, Vendor Advisory security@golang.org Source: security@golang.org Type: Third Party Advisory security@golang.org Source: security@golang.org Type: Third Party Advisory security@golang.org Source: security@golang.org Type: Third Party Advisory security@golang.org Source: security@golang.org Type: Third Party Advisory security@golang.org Source: security@golang.org Type: Vendor Advisory security@golang.org Source: CCN Type: IBM Security Bulletin 6965352 (Spectrum Protect Plus Container Agent) Vulnerabilities in Pypa Setuptools, Golang Go, OpenSSH, Minio and Certifi may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift Source: CCN Type: IBM Security Bulletin 6967022 (CICS TX Standard) CVE-2022-41723 may affect IBM CICS TX Standard Source: CCN Type: IBM Security Bulletin 6967026 (CICS TX Advanced) CVE-2022-41723 may affect IBM CICS TX Advanced Source: CCN Type: IBM Security Bulletin 6967291 (Robotic Process Automation for Cloud Pak) Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. Source: CCN Type: IBM Security Bulletin 6980347 (Cloud Integration Platform) Operations Dashboard is vulnerable to denial of service due to multiple vulnerabilities in Go Source: CCN Type: IBM Security Bulletin 6980349 (Cloud Integration Platform) Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Go Source: CCN Type: IBM Security Bulletin 6984413 (Db2 Rest) Multiple vulnerabilities affect IBM Db2 REST Source: CCN Type: IBM Security Bulletin 6987489 (Db2 Rest) Multiple vulnerabilities in golang affect IBM Db2 REST Source: CCN Type: IBM Security Bulletin 6997601 (CICS TX Advanced) CVE-2022-41723 and CVE-2022-41721 may affect IBM CICS TX Advanced Source: CCN Type: IBM Security Bulletin 7004575 (Watson Discovery) IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go Source: CCN Type: IBM Security Bulletin 7005485 (Cloud Pak for Network Automation) Cloud Pak for Network Automation 2.5.0 fixes multiple security vulnerabilities Source: CCN Type: IBM Security Bulletin 7005569 (Spectrum Protect) IBM Storage Protect server is vulnerable to a denial of service attack due to Golang Go (CVE-2022-41723) Source: CCN Type: IBM Security Bulletin 7005589 (Spectrum Protect Plus) Vulnerabilities in Apache Commons, Tomcat, Go, libcurl, OpenSSL, Python, Node.js, and Linux can affect IBM Spectrum Protect Plus. Source: CCN Type: IBM Security Bulletin 7008449 (Db2 on Cloud Pak for Data) Multiple vulnerabilities affect IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data Source: CCN Type: IBM Security Bulletin 7009757 (Match 360) ICP Match 360 is vulnerable to the following CVEs Source: CCN Type: IBM Security Bulletin 7009921 (Watson Assistant for Cloud Pak for Data) IBM Watson Assistant for IBM Cloud Pak for Data is affected by multiple vulnerabilities in Golang Go Source: CCN Type: IBM Security Bulletin 7011775 (Event Streams) IBM Event Streams is vulnerable to a denial of service attack due to Golang Go (CVE-2022-41723) Source: CCN Type: Mend Vulnerability Database CVE-2022-41723 | ||||||||||||||||
Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||||||
Oval Definitions | |||||||||||||||||
| |||||||||||||||||
BACK |