The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.
References
Link | Resource |
---|---|
https://golang.org/cl/30410 | Issue Tracking Patch Vendor Advisory |
https://golang.org/issue/17965 | Issue Tracking Patch Vendor Advisory |
https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ |
Configurations
History
16 Aug 2022, 13:01
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:golang:go:1.7.3:*:*:*:*:*:*:* |
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* |
References | (CONFIRM) https://groups.google.com/forum/#!msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ - Mailing List, Third Party Advisory |
Information
Published : 2017-10-05 01:29
Updated : 2024-02-04 19:29
NVD link : CVE-2017-1000098
Mitre link : CVE-2017-1000098
CVE.ORG link : CVE-2017-1000098
JSON object : View
Products Affected
golang
- go
CWE
CWE-769
DEPRECATED: Uncontrolled File Descriptor Consumption