Vulnerability Name:

CVE-2023-24534 (CCN-252276)

Assigned:2023-03-10
Published:2023-03-10
Updated:2023-05-26
Summary:Golang Go is vulnerable to a denial of service, caused by an memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
CVSS v2 Severity:5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2023-24534

Source: XF
Type: UNKNOWN
golang-cve202324534-dos(252276)

Source: CCN
Type: Go GIT Repository
net/http, net/textproto: denial of service from excessive memory allocation ?(CVE-2023-24534) #58975

Source: security@golang.org
Type: Patch, Vendor Advisory
security@golang.org

Source: security@golang.org
Type: Issue Tracking, Vendor Advisory
security@golang.org

Source: security@golang.org
Type: Mailing List, Patch
security@golang.org

Source: CCN
Type: GO-2023-1704
net/textproto

Source: security@golang.org
Type: Vendor Advisory
security@golang.org

Source: security@golang.org
Type: UNKNOWN
security@golang.org

Source: CCN
Type: IBM Security Bulletin 6989115 (CICS TX Standard)
CVE-2023-24536, CVE-2023-24537 and CVE-2023-24534 may affect IBM CICS TX Standard

Source: CCN
Type: IBM Security Bulletin 6989117 (CICS TX Advanced)
CVE-2023-24536, CVE-2023-24537, CVE-2023-24534 may affect IBM CICS TX Advanced

Source: CCN
Type: IBM Security Bulletin 7007847 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container operands and operator may be vulnerable to denial of service due to [CVE-2023-24534]

Source: CCN
Type: IBM Security Bulletin 7008407 (Robotic Process Automation for Cloud Pak)
Multiple operator framework security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

Source: CCN
Type: IBM Security Bulletin 7011697 (Storage Protect Plus Container Agent)
Vulnerabilities in Python, OpenSSH, Golang Go, Minio and Redis may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift

Source: CCN
Type: IBM Security Bulletin 7014223 (Storage Protect Server)
IBM Storage Protect Server is vulnerable to denial of service due to Golang Go ( CVE-2023-24534 )

Source: CCN
Type: IBM Security Bulletin 7014267 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by multiple vulnerabilities in Golang Go

Source: CCN
Type: IBM Security Bulletin 7015039 (Watson Speech Services Cartridge for Cloud Pak for Data)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Golang Go (CVE-2023-24534)

Source: CCN
Type: IBM Security Bulletin 7016688 (MQ Operator)
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl-libs, libssh, libarchive, sqlite and go-toolset

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.2:*:*:*:*:*:*:*
  • OR cpe:/a:golang:go:1.19.7:*:*:*:*:*:*:*
  • OR cpe:/a:golang:go:1.20.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2023-24534 (CCN-258223)

    Assigned:2023-06-10
    Published:2023-06-10
    Updated:2023-06-10
    Summary:Golang Go is vulnerable to a denial of service, caused by a flaw during multipart form parsing. By sending a specially crafted input using HTTP and MIME headers, a remote attacker could exploit this vulnerability to consume large amounts of CPU and memory, and results in a denial of service.
    CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
    6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): 
    Attack Complexity (AC): 
    Privileges Required (PR): 
    User Interaction (UI): 
    Scope:Scope (S): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
    6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): 
    Attack Complexity (AC): 
    Privileges Required (PR): 
    User Interaction (UI): 
    Scope:Scope (S): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Low
    Athentication (Au): None
    Impact Metrics:Confidentiality (C): None
    Integrity (I): None
    Availibility (A): Complete
    Vulnerability Consequences:Denial of Service
    References:Source: MITRE
    Type: CNA
    CVE-2023-24534

    Source: XF
    Type: UNKNOWN
    go-cve202324534-dos(258223)

    Source: CCN
    Type: Go GIT Repository
    net/http, net/textproto: denial of service from excessive memory allocation ?(CVE-2023-24534) #58975

    Source: CCN
    Type: GO-2023-1704
    net/textproto

    Source: CCN
    Type: NetApp Advisory ID: NTAP-20230526-0007
    April 2023 Golang Vulnerabilities in NetApp Products

    Source: CCN
    Type: IBM Security Bulletin 7008407 (Robotic Process Automation for Cloud Pak)
    Multiple operator framework security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

    Source: CCN
    Type: IBM Security Bulletin 7011697 (Storage Protect Plus Container Agent)
    Vulnerabilities in Python, OpenSSH, Golang Go, Minio and Redis may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift

    Source: CCN
    Type: IBM Security Bulletin 7016688 (MQ Operator)
    IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl-libs, libssh, libarchive, sqlite and go-toolset

    Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:golang:go:1.19.7:*:*:*:*:*:*:*
  • OR cpe:/a:golang:go:1.20.2:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8013
    P
    		go1.19-1.19.9-150000.1.31.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:8014
    P
    		go1.20-1.20.4-150000.1.11.1 on GA media (Moderate)
    2023-06-20
    BACK
    ibm app connect enterprise certified container 4.1
    ibm cics tx 11.1
    ibm cics tx 11.1
    ibm app connect enterprise certified container 4.2
    ibm robotic process automation for cloud pak 21.0.1
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise certified container 6.0
    ibm app connect enterprise certified container 6.1
    ibm app connect enterprise certified container 6.2
    golang go 1.19.7
    golang go 1.20.2
    golang go 1.19.7
    golang go 1.20.2
    ibm robotic process automation for cloud pak 21.0.1