MIME Multipart on Go resource consumption

Summaryinfo

A vulnerability classified as problematic was found in MIME Multipart on Go. This vulnerability affects unknown code. The manipulation results in resource consumption. This vulnerability is reported as CVE-2023-24536. No exploit exists.

Detailsinfo

A vulnerability classified as problematic has been found in MIME Multipart on Go (version unknown). Affected is an unknown function. The manipulation with an unknown input leads to a resource consumption vulnerability. CWE is classifying the issue as CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. This is going to have an impact on availability. CVE summarizes:

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.

The weakness was disclosed 04/06/2023. The advisory is available at go.dev. This vulnerability is traded as CVE-2023-24536 since 01/25/2023. The technical details are unknown and an exploit is not available.

The vulnerability scanner Nessus provides a plugin with the ID 211363 (Ubuntu 22.04 LTS : Go vulnerabilities (USN-7111-1)), which helps to determine the existence of the flaw in a target environment.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the databases at Tenable (211363) and CERT Bund (WID-SEC-2023-1378). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Affected

• Amazon Linux 2
• Red Hat Enterprise Linux
• Oracle Linux
• Red Hat OpenShift
• IBM Spectrum Protect
• RESF Rocky Linux

Productinfo

Name

• MIME Multipart

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion