Vulnerability Name:

CVE-2022-41725 (CCN-248949)

Assigned:2022-09-28
Published:2023-01-25
Updated:2023-07-10
Summary:Go is vulnerable to a denial of service, caused by an excessive resource consumption flaw in the net/http and mime/multipart packages. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
CVSS v2 Severity:5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-41725

Source: XF
Type: UNKNOWN
go-cve202241725-dos(248949)

Source: CCN
Type: Go GIT Repository
net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725) #58006

Source: security@golang.org
Type: Patch, Release Notes
security@golang.org

Source: security@golang.org
Type: Issue Tracking, Patch, Vendor Advisory
security@golang.org

Source: security@golang.org
Type: Mailing List, Vendor Advisory
security@golang.org

Source: CCN
Type: Go Vulnerability Database
Vulnerability Report: GO-2023-1569

Source: security@golang.org
Type: Vendor Advisory
security@golang.org

Source: CCN
Type: IBM Security Bulletin 6980347 (Cloud Integration Platform)
Operations Dashboard is vulnerable to denial of service due to multiple vulnerabilities in Go

Source: CCN
Type: IBM Security Bulletin 6980349 (Cloud Integration Platform)
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Go

Source: CCN
Type: IBM Security Bulletin 6998753 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2022-41725 (CCN-248957)

    Assigned:2022-09-28
    Published:2023-02-21
    Updated:2023-02-28
    Summary:Golang Go is vulnerable to a denial of service, caused by a flaw when perform multipart form parsing with mime/multipart.Reader.ReadForm. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to consume largely unlimited amounts of memory and disk files, and results in a denial of service condition.
    CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
    6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): 
    Attack Complexity (AC): 
    Privileges Required (PR): 
    User Interaction (UI): 
    Scope:Scope (S): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
    5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): 
    Attack Complexity (AC): 
    Privileges Required (PR): 
    User Interaction (UI): 
    Scope:Scope (S): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    CVSS v2 Severity:6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Low
    Athentication (Au): Single_Instance
    Impact Metrics:Confidentiality (C): None
    Integrity (I): None
    Availibility (A): Complete
    Vulnerability Consequences:Denial of Service
    References:Source: MITRE
    Type: CNA
    CVE-2022-41725

    Source: XF
    Type: UNKNOWN
    golang-cve202241725-dos(248957)

    Source: CCN
    Type: GO-2023-1569
    mime/multipart

    Source: CCN
    Type: IBM Security Bulletin 6965352 (Spectrum Protect Plus Container Agent)
    Vulnerabilities in Pypa Setuptools, Golang Go, OpenSSH, Minio and Certifi may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift

    Source: CCN
    Type: IBM Security Bulletin 6980347 (Cloud Integration Platform)
    Operations Dashboard is vulnerable to denial of service due to multiple vulnerabilities in Go

    Source: CCN
    Type: IBM Security Bulletin 6980349 (Cloud Integration Platform)
    Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Go

    Source: CCN
    Type: IBM Security Bulletin 6987059 (App Connect Enterprise Certified Container)
    IBM App Connect Enterprise Certified Container operands and operator may be vulnerable to denial of service due to [CVE-2022-41725]

    Source: CCN
    Type: IBM Security Bulletin 6987489 (Db2 Rest)
    Multiple vulnerabilities in golang affect IBM Db2 REST

    Source: CCN
    Type: IBM Security Bulletin 6995589 (Spectrum Copy Data Management)
    Vulnerabilities in Golang, Python, postgresql, cURL libcurl might affect IBM Spectrum Copy Data Management

    Source: CCN
    Type: IBM Security Bulletin 6998753 (Cloud Transformation Advisor)
    IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

    Source: CCN
    Type: IBM Security Bulletin 7004575 (Watson Discovery)
    IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go

    Source: CCN
    Type: IBM Security Bulletin 7005589 (Spectrum Protect Plus)
    Vulnerabilities in Apache Commons, Tomcat, Go, libcurl, OpenSSL, Python, Node.js, and Linux can affect IBM Spectrum Protect Plus.

    Source: CCN
    Type: IBM Security Bulletin 7005941 (Storage Protect)
    IBM Storage Protect Server is vulnerable to denial of service attacks due to Golang Go (CVE-2023-24536, CVE-2023-24537, CVE-2022-41724, CVE-2022-41725)

    Source: CCN
    Type: IBM Security Bulletin 7008407 (Robotic Process Automation for Cloud Pak)
    Multiple operator framework security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

    Source: CCN
    Type: IBM Security Bulletin 7008449 (Db2 on Cloud Pak for Data)
    Multiple vulnerabilities affect IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data

    Source: CCN
    Type: IBM Security Bulletin 7009921 (Watson Assistant for Cloud Pak for Data)
    IBM Watson Assistant for IBM Cloud Pak for Data is affected by multiple vulnerabilities in Golang Go

    Source: CCN
    Type: IBM Security Bulletin 7015045 (Watson Speech Services Cartridge for Cloud Pak for Data)
    IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Golang Go (CVE-2022-41725)

    Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:golang:go:1.19.5:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_copy_data_management:2.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8013
    P
    		go1.19-1.19.9-150000.1.31.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:8014
    P
    		go1.20-1.20.4-150000.1.11.1 on GA media (Moderate)
    2023-06-20
    BACK
    ibm cloud transformation advisor 2.0.1
    golang go 1.19.5
    ibm spectrum protect plus 10.1.0
    ibm cloud transformation advisor 2.0.1
    ibm spectrum copy data management 2.2.0.0
    ibm app connect enterprise certified container 4.1
    ibm app connect enterprise certified container 4.2
    ibm robotic process automation for cloud pak 21.0.1
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise certified container 6.0
    ibm app connect enterprise certified container 6.1
    ibm app connect enterprise certified container 6.2