CVE-2023-45288
Published: 04 April 2024
Summary
CVE-2023-45288 is a high-severity an unspecified weakness vulnerability in Go (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-45288 affects the HTTP/2 implementation in the Go standard library. The flaw allows an endpoint to be forced into reading and processing arbitrary volumes of header data sent via an excessive number of CONTINUATION frames. Although requests whose headers exceed MaxHeaderBytes are ultimately rejected without allocating storage for the excess, the frames are still parsed, including costly Huffman-encoded data, before rejection occurs.
An unauthenticated network attacker can open an HTTP/2 connection and transmit a stream of CONTINUATION frames containing expensive header encodings. Because HPACK state must be maintained for all such frames, the receiver expends significant CPU resources on a request that will be discarded, resulting in a denial-of-service condition with high availability impact and no privileges or user interaction required.
Public advisories and the Go project response describe a fix that imposes an upper bound on the number of excess header frames processed before the connection is closed. The change is delivered through the commits referenced in golang-announce and the associated Go issue tracker.
EPSS for the vulnerability rose from lower values to a peak of 0.7989 before receding to the current 0.6990, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1094
Vulnerability details
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's…
more
headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.