登录
注册
开源
企业版
高校版
搜索
帮助中心
使用条款
关于我们
开源
企业版
高校版
私有云
模力方舟
登录
注册
医疗 AI 怎么落地?本周四晚 19:30,「智医灵枢」开发者直播开讲,来听听一线医院的实战分享!
代码拉取完成,页面将自动刷新
捐赠
捐赠前请先登录
取消
前往登录
扫描微信二维码支付
取消
支付完成
支付提示
将跳转至支付宝完成支付
确定
取消
Watch
不关注
关注所有动态
仅关注版本发行动态
关注但不提醒动态
12
Star
0
Fork
30
src-openEuler
/
etcd
代码
Issues
22
Pull Requests
1
Wiki
统计
流水线
服务
JavaDoc
PHPDoc
质量分析
Jenkins for Gitee
腾讯云托管
腾讯云 Serverless
悬镜安全
阿里云 SAE
Codeblitz
SBOM
我知道了,不再自动展开
更新失败,请稍后重试!
移除标识
内容风险标识
本任务被
标识为内容中包含有代码安全 Bug 、隐私泄露等敏感信息,仓库外成员不可访问
CVE-2023-24536
待办的
#I6T1HC
CVE和安全问题
openeuler-ci-bot
拥有者
创建于
2023-04-05 06:54
一、漏洞信息 漏洞编号:[CVE-2023-24536](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) 漏洞归属组件:[etcd](https://gitee.com/src-openeuler/etcd) 漏洞归属的版本:3.4.14,3.4.7 CVSS V3.0分值: BaseScore:7.5 High Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 漏洞简述: Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. 漏洞公开时间:2023-04-07 00:15:07 漏洞创建时间:2023-04-04 22:54:14 漏洞详情参考链接: https://nvd.nist.gov/vuln/detail/CVE-2023-24536 <details> <summary>更多参考(点击展开)</summary> | 参考来源 | 参考链接 | 来源链接 | | ------- | -------- | -------- | | security.golang.org | https://go.dev/cl/482075 | | | security.golang.org | https://go.dev/cl/482076 | | | security.golang.org | https://go.dev/cl/482077 | | | security.golang.org | https://go.dev/issue/59153 | | | security.golang.org | https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 | | | security.golang.org | https://pkg.go.dev/vuln/GO-2023-1705 | | | security.golang.org | https://security.gentoo.org/glsa/202311-09 | | | security.golang.org | https://security.netapp.com/advisory/ntap-20230526-0007/ | | | redhat_bugzilla | https://github.com/golang/go/issues/59153 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://github.com/golang/go/issues/59270 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3167 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3445 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3450 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3455 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3367 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3540 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3624 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3612 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3918 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3943 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4003 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4093 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4470 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4335 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4627 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4664 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4657 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4986 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:5964 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6346 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6363 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6402 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6473 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6474 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6938 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6939 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:2944 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | ubuntu | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24536 | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://go.dev/issue/59153 | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://github.com/golang/go/commit/bf8c7c575c8a552d9d79deb29e80854dc88528d0 (go1.20.3) | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://github.com/golang/go/commit/7917b5f31204528ea72e0629f0b7d52b35b27538 (go.1.19.8) | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://nvd.nist.gov/vuln/detail/CVE-2023-24536 | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://launchpad.net/bugs/cve/CVE-2023-24536 | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://security-tracker.debian.org/tracker/CVE-2023-24536 | https://ubuntu.com/security/CVE-2023-24536 | | debian | | https://security-tracker.debian.org/tracker/CVE-2023-24536 | | gentoo | | https://security.gentoo.org/glsa/202311-09 | | anolis | | https://anas.openanolis.cn/cves/detail/CVE-2023-24536 | | cve_search | | https://go.dev/cl/482077 | | cve_search | | https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 | | cve_search | | https://go.dev/cl/482076 | | cve_search | | https://go.dev/cl/482075 | | cve_search | | https://go.dev/issue/59153 | | cve_search | | https://pkg.go.dev/vuln/GO-2023-1705 | | cve_search | | https://security.netapp.com/advisory/ntap-20230526-0007/ | | mageia | | http://advisories.mageia.org/MGASA-2023-0145.html | | go | https://go.dev/issue/59153 | https://github.com/golang/vulndb/blob/master/reports/GO-2023-1705.yaml | | go | https://go.dev/cl/482076 | https://github.com/golang/vulndb/blob/master/reports/GO-2023-1705.yaml | | go | https://go.dev/cl/482075 | https://github.com/golang/vulndb/blob/master/reports/GO-2023-1705.yaml | | go | https://go.dev/cl/482077 | https://github.com/golang/vulndb/blob/master/reports/GO-2023-1705.yaml | | go | https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 | https://github.com/golang/vulndb/blob/master/reports/GO-2023-1705.yaml | | osv | https://pkg.go.dev/vuln/GO-2023-1705 | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://security.gentoo.org/glsa/202311-09 | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://security.netapp.com/advisory/ntap-20230526-0007/ | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://go.dev/cl/482075 | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://go.dev/cl/482076 | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://go.dev/cl/482077 | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://go.dev/issue/59153 | https://osv.dev/vulnerability/CVE-2023-24536 | | amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2023-24536 | https://explore.alas.aws.amazon.com/CVE-2023-24536.html | | amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24536 | https://explore.alas.aws.amazon.com/CVE-2023-24536.html | </details> 漏洞分析指导链接: https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md 漏洞数据来源: openBrain开源漏洞感知系统 漏洞补丁信息: <details> <summary>详情(点击展开)</summary> | 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 | | ------- | -------- | ------- | -------- | --------- | | | | https://github.com/golang/go/commit/bf8c7c575c8a552d9d79deb29e80854dc88528d0 (go1.20.3) | | ubuntu | | | | https://github.com/golang/go/commit/7917b5f31204528ea72e0629f0b7d52b35b27538 (go.1.19.8) | | ubuntu | | | | https://go.dev/cl/482075 | | nvd | | | | https://go.dev/cl/482076 | | nvd | | | | https://go.dev/cl/482077 | | nvd | | | | https://go.dev/issue/59153 | | nvd | | | | https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 | | nvd | | | | https://pkg.go.dev/vuln/GO-2023-1705 | | nvd | | golang-1.10 | | https://github.com/golang/go/commit/7917b5f31204528ea72e0629f0b7d52b35b27538 | | ubuntu | </details> 二、漏洞分析结构反馈 影响性分析说明: 解析multipart表单时,尤其是处理含有大量部分的表单输入时,可能会消耗大量的CPU和内存。这个问题主要由以下几个原因造成:mime/multipart.Reader.ReadForm限制了被解析的multipart表单可以占用的总内存。然而,ReadForm可能低估了所消耗的内存大小,导致接受比预期更大的输入。限制总内存使用并不能解决由于大量小分配(特别是在包含许多部分的表单中)带来的垃圾回收器压力增加的问题。ReadForm可能会分配大量的短生命周期缓冲区,这进一步增加了垃圾回收器的压力。这些问题组合起来,允许攻击者通过发送特别构造的请求使解析multipart表单的程序消耗大量的CPU和内存,可能导致拒绝服务攻击。这一问题影响了使用mime/multipart.Reader.ReadForm的程序以及使用net/http包中Request方法(如FormFile、FormValue、ParseMultipartForm和PostFormValue)进行表单解析的程序。 上游修复方案:https://github.com/golang/go/commit/bf8c7c575c8a552d9d79deb29e80854dc88528d0 ,openEuler master和24.03 golang版本为1.21.4 不受影响,20.03和22.03相关分支golang版本受影响 openEuler评分: 7.5 Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 受影响版本排查(受影响/不受影响): 1.openEuler-20.03-LTS-SP3(3.4.14):受影响 2.openEuler-22.03-LTS(3.4.14):受影响 3.openEuler-22.03-LTS-SP1(3.4.14):受影响 4.openEuler-22.03-LTS-SP4(3.4.14):受影响 5.openEuler-20.03-LTS-SP4(3.4.14):受影响 6.openEuler-22.03-LTS-SP3(3.4.14):受影响 7.openEuler-24.03-LTS(3.4.14):不受影响 8.openEuler-24.03-LTS-Next(3.4.14):不受影响 9.master(3.4.14):不受影响 10.openEuler-24.03-LTS-SP1(3.4.14):不受影响 修复是否涉及abi变化(是/否): 1.openEuler-20.03-LTS-SP1:否 2.openEuler-20.03-LTS-SP3(3.4.14):否 3.openEuler-22.03-LTS(3.4.14):否 4.openEuler-22.03-LTS-SP1(3.4.14):否 5.openEuler-24.03-LTS(3.4.14):否 6.openEuler-24.03-LTS-Next(3.4.14):否 7.openEuler-22.03-LTS-SP4(3.4.14):否 8.master(3.4.14):否 9.openEuler-20.03-LTS-SP4(3.4.14):否 10.openEuler-22.03-LTS-SP3(3.4.14):否 11.openEuler-24.03-LTS-SP1(3.4.14):否 原因说明: 1.master(3.4.14): 2.openEuler-20.03-LTS-SP4(3.4.14): 3.openEuler-22.03-LTS-SP3(3.4.14): 4.openEuler-22.03-LTS-SP4(3.4.14): 5.openEuler-24.03-LTS(3.4.14): 6.openEuler-24.03-LTS-Next(3.4.14): 7.openEuler-24.03-LTS-SP1(3.4.14):
一、漏洞信息 漏洞编号:[CVE-2023-24536](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) 漏洞归属组件:[etcd](https://gitee.com/src-openeuler/etcd) 漏洞归属的版本:3.4.14,3.4.7 CVSS V3.0分值: BaseScore:7.5 High Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 漏洞简述: Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. 漏洞公开时间:2023-04-07 00:15:07 漏洞创建时间:2023-04-04 22:54:14 漏洞详情参考链接: https://nvd.nist.gov/vuln/detail/CVE-2023-24536 <details> <summary>更多参考(点击展开)</summary> | 参考来源 | 参考链接 | 来源链接 | | ------- | -------- | -------- | | security.golang.org | https://go.dev/cl/482075 | | | security.golang.org | https://go.dev/cl/482076 | | | security.golang.org | https://go.dev/cl/482077 | | | security.golang.org | https://go.dev/issue/59153 | | | security.golang.org | https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 | | | security.golang.org | https://pkg.go.dev/vuln/GO-2023-1705 | | | security.golang.org | https://security.gentoo.org/glsa/202311-09 | | | security.golang.org | https://security.netapp.com/advisory/ntap-20230526-0007/ | | | redhat_bugzilla | https://github.com/golang/go/issues/59153 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://github.com/golang/go/issues/59270 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3167 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3445 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3450 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3455 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3367 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3540 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3624 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3612 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3918 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:3943 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4003 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4093 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4470 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4335 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4627 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4664 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4657 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:4986 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:5964 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6346 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6363 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6402 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6473 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6474 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6938 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:6939 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:2944 | https://bugzilla.redhat.com/show_bug.cgi?id=2184482 | | ubuntu | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24536 | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://go.dev/issue/59153 | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://github.com/golang/go/commit/bf8c7c575c8a552d9d79deb29e80854dc88528d0 (go1.20.3) | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://github.com/golang/go/commit/7917b5f31204528ea72e0629f0b7d52b35b27538 (go.1.19.8) | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://nvd.nist.gov/vuln/detail/CVE-2023-24536 | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://launchpad.net/bugs/cve/CVE-2023-24536 | https://ubuntu.com/security/CVE-2023-24536 | | ubuntu | https://security-tracker.debian.org/tracker/CVE-2023-24536 | https://ubuntu.com/security/CVE-2023-24536 | | debian | | https://security-tracker.debian.org/tracker/CVE-2023-24536 | | gentoo | | https://security.gentoo.org/glsa/202311-09 | | anolis | | https://anas.openanolis.cn/cves/detail/CVE-2023-24536 | | cve_search | | https://go.dev/cl/482077 | | cve_search | | https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 | | cve_search | | https://go.dev/cl/482076 | | cve_search | | https://go.dev/cl/482075 | | cve_search | | https://go.dev/issue/59153 | | cve_search | | https://pkg.go.dev/vuln/GO-2023-1705 | | cve_search | | https://security.netapp.com/advisory/ntap-20230526-0007/ | | mageia | | http://advisories.mageia.org/MGASA-2023-0145.html | | go | https://go.dev/issue/59153 | https://github.com/golang/vulndb/blob/master/reports/GO-2023-1705.yaml | | go | https://go.dev/cl/482076 | https://github.com/golang/vulndb/blob/master/reports/GO-2023-1705.yaml | | go | https://go.dev/cl/482075 | https://github.com/golang/vulndb/blob/master/reports/GO-2023-1705.yaml | | go | https://go.dev/cl/482077 | https://github.com/golang/vulndb/blob/master/reports/GO-2023-1705.yaml | | go | https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 | https://github.com/golang/vulndb/blob/master/reports/GO-2023-1705.yaml | | osv | https://pkg.go.dev/vuln/GO-2023-1705 | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://security.gentoo.org/glsa/202311-09 | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://security.netapp.com/advisory/ntap-20230526-0007/ | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://go.dev/cl/482075 | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://go.dev/cl/482076 | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://go.dev/cl/482077 | https://osv.dev/vulnerability/CVE-2023-24536 | | osv | https://go.dev/issue/59153 | https://osv.dev/vulnerability/CVE-2023-24536 | | amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2023-24536 | https://explore.alas.aws.amazon.com/CVE-2023-24536.html | | amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24536 | https://explore.alas.aws.amazon.com/CVE-2023-24536.html | </details> 漏洞分析指导链接: https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md 漏洞数据来源: openBrain开源漏洞感知系统 漏洞补丁信息: <details> <summary>详情(点击展开)</summary> | 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 | | ------- | -------- | ------- | -------- | --------- | | | | https://github.com/golang/go/commit/bf8c7c575c8a552d9d79deb29e80854dc88528d0 (go1.20.3) | | ubuntu | | | | https://github.com/golang/go/commit/7917b5f31204528ea72e0629f0b7d52b35b27538 (go.1.19.8) | | ubuntu | | | | https://go.dev/cl/482075 | | nvd | | | | https://go.dev/cl/482076 | | nvd | | | | https://go.dev/cl/482077 | | nvd | | | | https://go.dev/issue/59153 | | nvd | | | | https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8 | | nvd | | | | https://pkg.go.dev/vuln/GO-2023-1705 | | nvd | | golang-1.10 | | https://github.com/golang/go/commit/7917b5f31204528ea72e0629f0b7d52b35b27538 | | ubuntu | </details> 二、漏洞分析结构反馈 影响性分析说明: 解析multipart表单时,尤其是处理含有大量部分的表单输入时,可能会消耗大量的CPU和内存。这个问题主要由以下几个原因造成:mime/multipart.Reader.ReadForm限制了被解析的multipart表单可以占用的总内存。然而,ReadForm可能低估了所消耗的内存大小,导致接受比预期更大的输入。限制总内存使用并不能解决由于大量小分配(特别是在包含许多部分的表单中)带来的垃圾回收器压力增加的问题。ReadForm可能会分配大量的短生命周期缓冲区,这进一步增加了垃圾回收器的压力。这些问题组合起来,允许攻击者通过发送特别构造的请求使解析multipart表单的程序消耗大量的CPU和内存,可能导致拒绝服务攻击。这一问题影响了使用mime/multipart.Reader.ReadForm的程序以及使用net/http包中Request方法(如FormFile、FormValue、ParseMultipartForm和PostFormValue)进行表单解析的程序。 上游修复方案:https://github.com/golang/go/commit/bf8c7c575c8a552d9d79deb29e80854dc88528d0 ,openEuler master和24.03 golang版本为1.21.4 不受影响,20.03和22.03相关分支golang版本受影响 openEuler评分: 7.5 Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 受影响版本排查(受影响/不受影响): 1.openEuler-20.03-LTS-SP3(3.4.14):受影响 2.openEuler-22.03-LTS(3.4.14):受影响 3.openEuler-22.03-LTS-SP1(3.4.14):受影响 4.openEuler-22.03-LTS-SP4(3.4.14):受影响 5.openEuler-20.03-LTS-SP4(3.4.14):受影响 6.openEuler-22.03-LTS-SP3(3.4.14):受影响 7.openEuler-24.03-LTS(3.4.14):不受影响 8.openEuler-24.03-LTS-Next(3.4.14):不受影响 9.master(3.4.14):不受影响 10.openEuler-24.03-LTS-SP1(3.4.14):不受影响 修复是否涉及abi变化(是/否): 1.openEuler-20.03-LTS-SP1:否 2.openEuler-20.03-LTS-SP3(3.4.14):否 3.openEuler-22.03-LTS(3.4.14):否 4.openEuler-22.03-LTS-SP1(3.4.14):否 5.openEuler-24.03-LTS(3.4.14):否 6.openEuler-24.03-LTS-Next(3.4.14):否 7.openEuler-22.03-LTS-SP4(3.4.14):否 8.master(3.4.14):否 9.openEuler-20.03-LTS-SP4(3.4.14):否 10.openEuler-22.03-LTS-SP3(3.4.14):否 11.openEuler-24.03-LTS-SP1(3.4.14):否 原因说明: 1.master(3.4.14): 2.openEuler-20.03-LTS-SP4(3.4.14): 3.openEuler-22.03-LTS-SP3(3.4.14): 4.openEuler-22.03-LTS-SP4(3.4.14): 5.openEuler-24.03-LTS(3.4.14): 6.openEuler-24.03-LTS-Next(3.4.14): 7.openEuler-24.03-LTS-SP1(3.4.14):
评论 (
6
)
登录
后才可以发表评论
状态
待办的
待办的
已挂起
进行中
已完成
已拒绝
负责人
未设置
pixiake
pixiake
负责人
协作者
+负责人
+协作者
标签
CVE/UNFIXED
sig/sig-CloudNative
未设置
项目
未立项任务
未立项任务
里程碑
未关联里程碑
未关联里程碑
Pull Requests
未关联
未关联
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
未关联
分支 (26)
标签 (41)
master
openEuler-25.09
openEuler-24.03-LTS-SP2
openEuler-24.03-LTS-SP1
openEuler-24.03-LTS-Next
openEuler-22.03-LTS-SP4
openEuler-22.03-LTS-SP3
openEuler-24.03-LTS
openEuler-20.03-LTS-SP4
openEuler-22.03-LTS-SP1
openEuler-22.03-LTS-SP2
openEuler-25.03
sync-pr91-openEuler-22.03-LTS-SP1-to-openEuler-20.03-LTS-SP4
openEuler-24.09
revert-merge-57-openEuler-24.03-LTS
openEuler-20.03-LTS-SP3
openEuler-22.03-LTS-Next
openEuler-22.03-LTS
openEuler-23.03
openEuler-23.09
openEuler-20.03-LTS-Next
openEuler-21.03
openEuler-21.09
openEuler-20.03-LTS-SP2
openEuler-20.09
openEuler-22.09
openEuler-24.03-LTS-SP1-update-20250911
openEuler-20.03-LTS-SP4-update-20250711
openEuler-22.03-LTS-SP3-update-20250711
openEuler-22.03-LTS-SP4-update-20250711
openEuler-24.03-LTS-update-20250711
openEuler-24.03-LTS-SP1-update-20250711
openEuler-24.03-LTS-SP2-update-20250711
openEuler-24.03-LTS-SP2-release
openEuler-24.03-LTS-update-20250425
openEuler-25.03-release
openEuler-24.03-LTS-SP1-update-20250228
openEuler-22.03-LTS-SP3-update-20250228
openEuler-22.03-LTS-SP4-update-20250228
openEuler-20.03-LTS-SP4-update-20250228
openEuler-24.03-LTS-SP1-update-20250221
openEuler-22.03-LTS-SP4-update-20250221
openEuler-22.03-LTS-SP3-update-20250221
openEuler-20.03-LTS-SP4-update-20250221
openEuler-24.03-LTS-update-20250214
openEuler-22.03-LTS-SP4-update-20250214
openEuler-22.03-LTS-SP3-update-20250214
openEuler-24.03-LTS-SP1-release
openEuler-22.03-LTS-SP4-update-20241213
openEuler-22.03-LTS-SP3-update-20241213
openEuler-22.03-LTS-SP4-release
openEuler-24.09-release
openEuler-24.03-LTS-release
openEuler-22.03-LTS-SP3-release
openEuler-23.09-rc5
openEuler-22.03-LTS-SP1-release
openEuler-22.09-release
openEuler-22.09-rc5
openEuler-22.09-20220829
openEuler-22.03-LTS-20220331
openEuler-22.03-LTS-round5
openEuler-22.03-LTS-round3
openEuler-22.03-LTS-round2
openEuler-22.03-LTS-round1
openEuler-20.03-LTS-SP3-release
openEuler-20.03-LTS-SP2-20210624
openEuler-21.03-20210330
开始日期 - 截止日期
-
置顶选项
不置顶
置顶等级:高
置顶等级:中
置顶等级:低
优先级
不指定
严重
主要
次要
不重要
预计工期
(小时)
参与者(1)
1
https://gitee.com/src-openeuler/etcd.git
git@gitee.com:src-openeuler/etcd.git
src-openeuler
etcd
etcd
点此查找更多帮助
搜索帮助
Git 命令在线学习
如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
仓库举报
回到顶部
登录提示
该操作需登录 Gitee 帐号,请先登录后再操作。
立即登录
没有帐号,去注册
