Vulnerability Description
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.6.4 |
Related Weaknesses (CWE)
References
- https://golang.org/cl/30410Issue TrackingPatchVendor Advisory
- https://golang.org/issue/17965Issue TrackingPatchVendor Advisory
- https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ
- https://golang.org/cl/30410Issue TrackingPatchVendor Advisory
- https://golang.org/issue/17965Issue TrackingPatchVendor Advisory
- https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ
FAQ
What is CVE-2017-1000098?
CVE-2017-1000098 is a vulnerability with a CVSS score of 7.5 (HIGH). The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate...
How severe is CVE-2017-1000098?
CVE-2017-1000098 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-1000098?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go.