CVE-2021-31525 - log back

CVE-2021-31525 edited at 06 May 2021 19:58:19
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ A security issue has been found in Go before version 1.16.4. ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.
References
+ https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc
+ https://github.com/golang/go/issues/45710
+ https://github.com/golang/net/commit/89ef3d95e781148a0951956029c92a211477f7f9
+ https://github.com/golang/go/commit/d4adea20f01627098936e050d3a73922f7ebe08f
Notes
CVE-2021-31525 created at 06 May 2021 19:53:07