CVE-2017-1000098

{"id": "CVE-2017-1000098", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2017-10-05T01:29:03.977", "references": [{"url": "https://golang.org/cl/30410", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://golang.org/issue/17965", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-769"}]}], "descriptions": [{"lang": "en", "value": "The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given \"maxMemory\" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors."}, {"lang": "es", "value": "El m\u00e9todo Request.ParseMultipartForm del paquete net/http empieza a escribir en archivos temporales una vez que el tama\u00f1o del cuerpo de la petici\u00f3n sobrepase el l\u00edmite \"maxMemory\" establecido. Un atacante podr\u00eda generar un petici\u00f3n multipart manipulada para que el servidor se quede sin descriptores de archivo."}], "lastModified": "2023-11-07T02:37:54.203", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "583AACA0-8F17-4903-B063-B1253BA95325", "versionEndExcluding": "1.6.4"}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BA96926-E4F1-417B-8979-5956D23DD043", "versionEndExcluding": "1.7.4", "versionStartIncluding": "1.7"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}