Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oZ3I4LTZoOXgtZjdxOc4AAhsD

golang.org/x/net/http vulnerable to ping floods

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Specific Go Packages Affected

golang.org/x/net/http2

Permalink: https://github.com/advisories/GHSA-hgr8-6h9x-f7q9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oZ3I4LTZoOXgtZjdxOc4AAhsD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 6 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-hgr8-6h9x-f7q9, CVE-2019-9512
References: Repository: https://github.com/Netflix/security-bulletins

Affected Packages

go:golang.org/x/net
Dependent packages: 112,044
Dependent repositories: 276,704
Downloads:
Affected Version Ranges: < 0.0.0-20190813141303-74dc4d7220e7
Fixed in: 0.0.0-20190813141303-74dc4d7220e7
All affected versions:
All unaffected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0