CVE-2021-31525

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

References

https://github.com/golang/go/issues/45710

https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc

https://lists.fedoraproject.org/archives/list/[email protected]/message/ISRZZ6NY5R2TBYE72KZFOCO25TEUQTBF/

Details

Source: MITRE

Published: 2021-05-27

Updated: 2021-06-22

Type: CWE-674

Risk Information

CVSS v2

Base Score: 2.6

Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 4.9

Severity: LOW

CVSS v3

Base Score: 5.9

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 2.2

Severity: MEDIUM

Tenable Plugins

View all (18 total)

IDNameProductFamilySeverity
156004RHEL 8 : Red Hat OpenStack Platform 16.1 (etcd) (RHSA-2021:5072)NessusRed Hat Local Security Checks
high
153734EulerOS 2.0 SP9 : golang (EulerOS-SA-2021-2527)NessusHuawei Local Security Checks
medium
153715EulerOS 2.0 SP5 : golang (EulerOS-SA-2021-2497)NessusHuawei Local Security Checks
medium
153684EulerOS 2.0 SP9 : golang (EulerOS-SA-2021-2551)NessusHuawei Local Security Checks
medium
153657EulerOS 2.0 SP8 : golang (EulerOS-SA-2021-2462)NessusHuawei Local Security Checks
medium
152975RHEL 7 / 8 : OpenShift Container Platform 4.8.9 packages and (RHSA-2021:3248)NessusRed Hat Local Security Checks
high
152513Oracle Linux 8 : go-toolset:ol8 (ELSA-2021-3076)NessusOracle Linux Local Security Checks
high
152454CentOS 8 : go-toolset:rhel8 (CESA-2021:3076)NessusCentOS Local Security Checks
high
152448RHEL 8 : go-toolset:rhel8 (RHSA-2021:3076)NessusRed Hat Local Security Checks
high
152440RHEL 7 / 8 : OpenShift Container Platform 4.8.4 bug fix and (RHSA-2021:2984)NessusRed Hat Local Security Checks
high
152372Photon OS 3.0: Go PHSA-2021-3.0-0276NessusPhotonOS Local Security Checks
medium
151517Amazon Linux AMI : golang (ALAS-2021-1512)NessusAmazon Linux Local Security Checks
medium
151024openSUSE 15 Security Update : go1.15 (openSUSE-SU-2021:0904-1)NessusSuSE Local Security Checks
medium
150968Amazon Linux 2 : golang (ALAS-2021-1657)NessusAmazon Linux Local Security Checks
medium
150933Photon OS 4.0: Go PHSA-2021-4.0-0046NessusPhotonOS Local Security Checks
medium
150899SUSE SLED15 / SLES15 Security Update : go1.15 (SUSE-SU-2021:2082-1)NessusSuSE Local Security Checks
medium
150897SUSE SLED15 / SLES15 Security Update : go1.16 (SUSE-SU-2021:2085-1)NessusSuSE Local Security Checks
medium
149346FreeBSD : go -- net/http: ReadRequest can stack overflow due to recursion with very large headers (7f242313-aea5-11eb-8151-67f74cf7c704)NessusFreeBSD Local Security Checks
medium