Skip to main content
Version: latest

CVE-2023-24534

CVE Details

Visit the official vulnerability details page for CVE-2023-24534 to learn more.

Initial Publication

10/25/2024

Last Update

01/20/2025

Third Party Dependency

go

NIST CVE Summary

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.

CVE Severity

7.5

Our Official Summary

This vulnerability is a false positive. Although this is reported by the scanning tools on some of the components, further checks indicate the symbol/function with the vulnerability while present is not being used.

Status

Ongoing

Affected Products & Versions

This CVE is non-impacting as the impacting symbol and/or function is not used in the product

Revision History

DateRevision
01/20/2025Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15, 4.5.20
01/20/2025Advisory is no longer impacting.
01/20/2025Official summary revised: This vulnerability is a false positive. Although this is reported by the scanning tools on some of the components, further checks indicate the symbol/function with the vulnerability while present is not being used.
12/23/2024Advisory severity revised to HIGH from MEDIUM
12/22/2024Advisory severity revised to MEDIUM from HIGH
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15
12/11/2024Official summary revised: This CVE involves excessive memory allocation in net/http and net/textproto, potentially leading to a denial of service due to large memory allocation while parsing HTTP and MIME headers even for small inputs. Attackers can exploit this vulnerability to exhaust an HTTP server's memory resources, causing a denial of service. By crafting specific input data patterns, an attacker can trigger the excessive memory allocation behavior in the HTTP and MIME header parsing functions, leading to memory exhaustion.Risk of this vulnerability exploited in Spectrocloud products is very low. 3rd party images afftected will be upgraded to remove the vulnerability.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/13/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5