Bug 2268017 (CVE-2023-45290) - CVE-2023-45290 golang: net/http: golang: mime/multipart: golang: net/textproto: memory exhaustion in Request.ParseMultipartForm
Summary: CVE-2023-45290 golang: net/http: golang: mime/multipart: golang: net/textprot...
Keywords:
Status: NEW
Alias: CVE-2023-45290
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2349082 2268238 2268239 2268240 2276382 2276383 2276384 2276385 2276386 2276387 2276388 2276389 2276390 2276391 2276392 2276621 2280889 2292176 2292177
Blocks: 2268016
TreeView+ depends on / blocked
 
Reported: 2024-03-06 01:50 UTC by Robb Gatica
Modified: 2025-05-06 08:28 UTC (History)
137 users (show)

Fixed In Version: go 1.21.8, go 1.22.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:3397 0 None None None 2024-05-28 12:59:58 UTC
Red Hat Product Errata RHBA-2024:4031 0 None None None 2024-06-20 14:52:12 UTC
Red Hat Product Errata RHBA-2024:4032 0 None None None 2024-06-20 14:52:25 UTC
Red Hat Product Errata RHBA-2024:4033 0 None None None 2024-06-20 15:39:53 UTC
Red Hat Product Errata RHBA-2024:5335 0 None None None 2024-08-13 17:32:46 UTC
Red Hat Product Errata RHBA-2024:8041 0 None None None 2024-10-14 05:27:13 UTC
Red Hat Product Errata RHBA-2024:8135 0 None None None 2024-10-15 13:25:21 UTC
Red Hat Product Errata RHBA-2024:8278 0 None None None 2024-10-21 00:22:18 UTC
Red Hat Product Errata RHSA-2024:0045 0 None None None 2024-06-27 13:01:05 UTC
Red Hat Product Errata RHSA-2024:1616 0 None None None 2024-07-01 00:29:00 UTC
Red Hat Product Errata RHSA-2024:2088 0 None None None 2024-04-29 02:27:00 UTC
Red Hat Product Errata RHSA-2024:2562 0 None None None 2024-04-30 14:39:40 UTC
Red Hat Product Errata RHSA-2024:2724 0 None None None 2024-05-07 10:38:43 UTC
Red Hat Product Errata RHSA-2024:3259 0 None None None 2024-05-22 11:39:56 UTC
Red Hat Product Errata RHSA-2024:3346 0 None None None 2024-05-23 18:06:22 UTC
Red Hat Product Errata RHSA-2024:3617 0 None None None 2024-07-01 00:53:19 UTC
Red Hat Product Errata RHSA-2024:3621 0 None None None 2024-06-05 05:15:38 UTC
Red Hat Product Errata RHSA-2024:3637 0 None None None 2024-07-01 00:40:15 UTC
Red Hat Product Errata RHSA-2024:3781 0 None None None 2024-06-10 18:37:13 UTC
Red Hat Product Errata RHSA-2024:3790 0 None None None 2024-06-11 02:33:49 UTC
Red Hat Product Errata RHSA-2024:3826 0 None None None 2024-06-11 19:40:53 UTC
Red Hat Product Errata RHSA-2024:3827 0 None None None 2024-06-11 19:41:15 UTC
Red Hat Product Errata RHSA-2024:3830 0 None None None 2024-06-11 19:41:45 UTC
Red Hat Product Errata RHSA-2024:3831 0 None None None 2024-06-11 19:41:55 UTC
Red Hat Product Errata RHSA-2024:3868 0 None None None 2024-06-17 00:44:03 UTC
Red Hat Product Errata RHSA-2024:4023 0 None None None 2024-06-20 12:37:27 UTC
Red Hat Product Errata RHSA-2024:4520 0 None None None 2024-07-11 17:32:43 UTC
Red Hat Product Errata RHSA-2024:4893 0 None None None 2024-07-29 00:17:04 UTC
Red Hat Product Errata RHSA-2024:5075 0 None None None 2024-08-07 10:36:02 UTC
Red Hat Product Errata RHSA-2024:5077 0 None None None 2024-08-07 10:53:02 UTC
Red Hat Product Errata RHSA-2024:5202 0 None None None 2024-08-19 05:12:27 UTC
Red Hat Product Errata RHSA-2024:5258 0 None None None 2024-08-13 00:38:04 UTC
Red Hat Product Errata RHSA-2024:5433 0 None None None 2024-08-22 11:41:43 UTC
Red Hat Product Errata RHSA-2024:5436 0 None None None 2024-08-22 11:56:08 UTC
Red Hat Product Errata RHSA-2024:5439 0 None None None 2024-08-22 11:43:01 UTC
Red Hat Product Errata RHSA-2024:5442 0 None None None 2024-08-22 11:58:26 UTC
Red Hat Product Errata RHSA-2024:5444 0 None None None 2024-08-22 11:43:27 UTC
Red Hat Product Errata RHSA-2024:5446 0 None None None 2024-08-22 12:14:41 UTC
Red Hat Product Errata RHSA-2024:5808 0 None None None 2024-08-29 03:08:03 UTC
Red Hat Product Errata RHSA-2024:5810 0 None None None 2024-08-29 03:17:29 UTC
Red Hat Product Errata RHSA-2024:6221 0 None None None 2024-09-03 11:45:17 UTC
Red Hat Product Errata RHSA-2024:6969 0 None None None 2024-09-24 03:21:30 UTC
Red Hat Product Errata RHSA-2024:7174 0 None None None 2024-10-02 05:28:36 UTC
Red Hat Product Errata RHSA-2024:7548 0 None None None 2024-10-16 00:35:09 UTC
Red Hat Product Errata RHSA-2024:7922 0 None None None 2024-10-16 02:40:19 UTC
Red Hat Product Errata RHSA-2024:8038 0 None None None 2024-10-14 02:14:42 UTC
Red Hat Product Errata RHSA-2024:9135 0 None None None 2024-11-12 08:54:51 UTC
Red Hat Product Errata RHSA-2024:9485 0 None None None 2024-11-13 13:15:17 UTC

Description Robb Gatica 2024-03-06 01:50:13 UTC 
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.

ParseMultipartForm now correctly limits the maximum size of form lines.

https://github.com/golang/go/issues/65383
Comment 1 Robb Gatica 2024-03-06 19:05:43 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2268239]
Affects: fedora-all [bug 2268238]
Comment 16 errata-xmlrpc 2024-04-29 02:26:54 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088
Comment 17 errata-xmlrpc 2024-04-30 14:39:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2562 https://access.redhat.com/errata/RHSA-2024:2562
Comment 21 errata-xmlrpc 2024-05-07 10:38:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2724 https://access.redhat.com/errata/RHSA-2024:2724
Comment 23 errata-xmlrpc 2024-05-22 11:39:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3259 https://access.redhat.com/errata/RHSA-2024:3259
Comment 24 errata-xmlrpc 2024-05-23 18:06:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3346 https://access.redhat.com/errata/RHSA-2024:3346
Comment 25 errata-xmlrpc 2024-06-05 05:15:32 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.2

Via RHSA-2024:3621 https://access.redhat.com/errata/RHSA-2024:3621
Comment 27 errata-xmlrpc 2024-06-10 18:37:06 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781
Comment 28 errata-xmlrpc 2024-06-11 02:33:41 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:3790 https://access.redhat.com/errata/RHSA-2024:3790
Comment 29 errata-xmlrpc 2024-06-11 19:40:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3826 https://access.redhat.com/errata/RHSA-2024:3826
Comment 30 errata-xmlrpc 2024-06-11 19:41:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3827 https://access.redhat.com/errata/RHSA-2024:3827
Comment 31 errata-xmlrpc 2024-06-11 19:41:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3830 https://access.redhat.com/errata/RHSA-2024:3830
Comment 32 errata-xmlrpc 2024-06-11 19:41:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3831 https://access.redhat.com/errata/RHSA-2024:3831
Comment 34 errata-xmlrpc 2024-06-17 00:43:54 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.6.0-RHEL-9

Via RHSA-2024:3868 https://access.redhat.com/errata/RHSA-2024:3868
Comment 35 errata-xmlrpc 2024-06-20 12:37:20 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2024:4023 https://access.redhat.com/errata/RHSA-2024:4023
Comment 36 errata-xmlrpc 2024-06-27 13:00:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0045 https://access.redhat.com/errata/RHSA-2024:0045
Comment 37 errata-xmlrpc 2024-07-01 00:28:53 UTC 
This issue has been addressed in the following products:

  RODOO-1.1-RHEL-9

Via RHSA-2024:1616 https://access.redhat.com/errata/RHSA-2024:1616
Comment 38 errata-xmlrpc 2024-07-01 00:40:07 UTC 
This issue has been addressed in the following products:

  OSSO-1.3-RHEL-9

Via RHSA-2024:3637 https://access.redhat.com/errata/RHSA-2024:3637
Comment 39 errata-xmlrpc 2024-07-01 00:53:13 UTC 
This issue has been addressed in the following products:

  KDO-5.0-RHEL-9

Via RHSA-2024:3617 https://access.redhat.com/errata/RHSA-2024:3617
Comment 40 errata-xmlrpc 2024-07-11 17:32:37 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2024:4520 https://access.redhat.com/errata/RHSA-2024:4520
Comment 41 errata-xmlrpc 2024-07-29 00:16:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2024:4893 https://access.redhat.com/errata/RHSA-2024:4893
Comment 42 errata-xmlrpc 2024-08-07 10:35:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:5075 https://access.redhat.com/errata/RHSA-2024:5075
Comment 43 errata-xmlrpc 2024-08-07 10:52:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:5077 https://access.redhat.com/errata/RHSA-2024:5077
Comment 44 errata-xmlrpc 2024-08-13 00:37:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5258 https://access.redhat.com/errata/RHSA-2024:5258
Comment 45 errata-xmlrpc 2024-08-19 05:12:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:5202 https://access.redhat.com/errata/RHSA-2024:5202
Comment 46 errata-xmlrpc 2024-08-22 11:41:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5433 https://access.redhat.com/errata/RHSA-2024:5433
Comment 47 errata-xmlrpc 2024-08-22 11:42:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:5439 https://access.redhat.com/errata/RHSA-2024:5439
Comment 48 errata-xmlrpc 2024-08-22 11:43:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:5444 https://access.redhat.com/errata/RHSA-2024:5444
Comment 49 errata-xmlrpc 2024-08-22 11:56:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5436 https://access.redhat.com/errata/RHSA-2024:5436
Comment 50 errata-xmlrpc 2024-08-22 11:58:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:5442 https://access.redhat.com/errata/RHSA-2024:5442
Comment 51 errata-xmlrpc 2024-08-22 12:14:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:5446 https://access.redhat.com/errata/RHSA-2024:5446
Comment 52 errata-xmlrpc 2024-08-29 03:07:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:5808 https://access.redhat.com/errata/RHSA-2024:5808
Comment 53 errata-xmlrpc 2024-08-29 03:17:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12
  Ironic content for Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:5810 https://access.redhat.com/errata/RHSA-2024:5810
Comment 54 errata-xmlrpc 2024-09-03 11:45:10 UTC 
This issue has been addressed in the following products:

  OPENSHIFT-BUILDS-1.1-RHEL-8

Via RHSA-2024:6221 https://access.redhat.com/errata/RHSA-2024:6221
Comment 55 errata-xmlrpc 2024-09-24 03:21:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6969 https://access.redhat.com/errata/RHSA-2024:6969
Comment 56 errata-xmlrpc 2024-10-02 05:28:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:7174 https://access.redhat.com/errata/RHSA-2024:7174
Comment 58 errata-xmlrpc 2024-10-14 02:14:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:8038 https://access.redhat.com/errata/RHSA-2024:8038
Comment 59 errata-xmlrpc 2024-10-16 00:34:57 UTC 
This issue has been addressed in the following products:

  RODOO-1.2-RHEL-9

Via RHSA-2024:7548 https://access.redhat.com/errata/RHSA-2024:7548
Comment 60 errata-xmlrpc 2024-10-16 02:40:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:7922 https://access.redhat.com/errata/RHSA-2024:7922
Comment 61 errata-xmlrpc 2024-11-12 08:54:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9135 https://access.redhat.com/errata/RHSA-2024:9135
Comment 62 errata-xmlrpc 2024-11-13 13:15:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Services on OpenShift PODIFIED 1.0

Via RHSA-2024:9485 https://access.redhat.com/errata/RHSA-2024:9485
Note You need to log in before you can comment on or make changes to this bug.