CVE-2023-45288

一、漏洞信息
漏洞编号：CVE-2023-45288
漏洞归属组件：git-lfs
漏洞归属的版本：2.12.0,3.2.0
CVSS V2.0分值：
BaseScore：0.0 Low
Vector：CVSS：2.0/
漏洞简述：
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
漏洞公开时间：2024-04-05 05:15:16
漏洞创建时间：2024-04-24 11:50:27
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2023-45288

更多参考(点击展开)

参考来源	参考链接	来源链接
security.golang.org	https://go.dev/cl/576155
security.golang.org	https://go.dev/issue/65051
security.golang.org	https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
security.golang.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/
security.golang.org	https://pkg.go.dev/vuln/GO-2024-2687
security.golang.org	https://security.netapp.com/advisory/ntap-20240419-0009/
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1668	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1679	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1681	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1683	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1963	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1962	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:2060	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:2062	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1899	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1892	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1897	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:2079	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:2088	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
debian		https://security-tracker.debian.org/tracker/CVE-2023-45288
cve_search		https://go.dev/issue/65051
cve_search		https://go.dev/cl/576155
cve_search		https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
cve_search		https://pkg.go.dev/vuln/GO-2024-2687
cve_search		https://security.netapp.com/advisory/ntap-20240419-0009/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/
github_advisory	https://nowotarski.info/http2-continuation-flood-technical-details	https://github.com/advisories/GHSA-4v7x-pqxf-cx7m
github_advisory	https://pkg.go.dev/vuln/GO-2024-2687	https://github.com/advisories/GHSA-4v7x-pqxf-cx7m
github_advisory	https://nvd.nist.gov/vuln/detail/CVE-2023-45288	https://github.com/advisories/GHSA-4v7x-pqxf-cx7m
github_advisory	https://go.dev/cl/576155	https://github.com/advisories/GHSA-4v7x-pqxf-cx7m
github_advisory	https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M	https://github.com/advisories/GHSA-4v7x-pqxf-cx7m
github_advisory	https://go.dev/issue/65051	https://github.com/advisories/GHSA-4v7x-pqxf-cx7m
mageia		http://advisories.mageia.org/MGASA-2024-0128.html
go	https://go.dev/issue/65051	https://github.com/golang/vulndb/blob/master/reports/GO-2024-2687.yaml
go	https://go.dev/cl/576155	https://github.com/golang/vulndb/blob/master/reports/GO-2024-2687.yaml
go	https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M	https://github.com/golang/vulndb/blob/master/reports/GO-2024-2687.yaml
amazon_linux_explore	https://access.redhat.com/security/cve/CVE-2023-45288	https://explore.alas.aws.amazon.com/CVE-2023-45288.html
amazon_linux_explore	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288	https://explore.alas.aws.amazon.com/CVE-2023-45288.html
snyk	https://github.com/golang/net/commit/ba872109ef2dc8f1da778651bd1fd3792d0e4587	https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285
snyk	https://github.com/golang/go/issues/65051	https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285
snyk	https://pkg.go.dev/vuln/GO-2024-2687	https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285
snyk	https://github.com/traefik/traefik/commit/099c7e9444a5d56918b8221672fc8d6a09a5d389	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGSERVER-6615853
snyk	https://github.com/golang/net/commit/ba872109ef2dc8f1da778651bd1fd3792d0e4587	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGSERVER-6615853
snyk	https://github.com/golang/go/issues/65051	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGSERVER-6615853
snyk	https://pkg.go.dev/vuln/GO-2024-2687	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGSERVER-6615853
snyk	https://github.com/traefik/traefik/commit/099c7e9444a5d56918b8221672fc8d6a09a5d389	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGSERVER-6615852
snyk	https://github.com/golang/net/commit/ba872109ef2dc8f1da778651bd1fd3792d0e4587	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGSERVER-6615852
snyk	https://github.com/golang/go/issues/65051	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGSERVER-6615852
snyk	https://pkg.go.dev/vuln/GO-2024-2687	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGSERVER-6615852
snyk	https://github.com/traefik/traefik/commit/099c7e9444a5d56918b8221672fc8d6a09a5d389	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGREDACTOR-6615851
snyk	https://github.com/golang/net/commit/ba872109ef2dc8f1da778651bd1fd3792d0e4587	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGREDACTOR-6615851
snyk	https://github.com/golang/go/issues/65051	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGREDACTOR-6615851
snyk	https://pkg.go.dev/vuln/GO-2024-2687	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGREDACTOR-6615851
snyk	https://github.com/traefik/traefik/commit/099c7e9444a5d56918b8221672fc8d6a09a5d389	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGREDACTOR-6615850
snyk	https://github.com/golang/net/commit/ba872109ef2dc8f1da778651bd1fd3792d0e4587	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGREDACTOR-6615850
snyk	https://github.com/golang/go/issues/65051	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGREDACTOR-6615850
snyk	https://pkg.go.dev/vuln/GO-2024-2687	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGREDACTOR-6615850
snyk	https://github.com/traefik/traefik/commit/099c7e9444a5d56918b8221672fc8d6a09a5d389	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGCONFIGSTATIC-6615849
snyk	https://github.com/golang/net/commit/ba872109ef2dc8f1da778651bd1fd3792d0e4587	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGCONFIGSTATIC-6615849
snyk	https://github.com/golang/go/issues/65051	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGCONFIGSTATIC-6615849
snyk	https://pkg.go.dev/vuln/GO-2024-2687	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGCONFIGSTATIC-6615849
snyk	https://github.com/traefik/traefik/commit/099c7e9444a5d56918b8221672fc8d6a09a5d389	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGCONFIGSTATIC-6615848
snyk	https://github.com/golang/net/commit/ba872109ef2dc8f1da778651bd1fd3792d0e4587	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGCONFIGSTATIC-6615848
snyk	https://github.com/golang/go/issues/65051	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGCONFIGSTATIC-6615848
snyk	https://pkg.go.dev/vuln/GO-2024-2687	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGCONFIGSTATIC-6615848
snyk	https://github.com/traefik/traefik/commit/099c7e9444a5d56918b8221672fc8d6a09a5d389	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGAPI-6615847
snyk	https://github.com/golang/net/commit/ba872109ef2dc8f1da778651bd1fd3792d0e4587	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGAPI-6615847
snyk	https://github.com/golang/go/issues/65051	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGAPI-6615847
snyk	https://pkg.go.dev/vuln/GO-2024-2687	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV3PKGAPI-6615847
snyk	https://github.com/traefik/traefik/commit/099c7e9444a5d56918b8221672fc8d6a09a5d389	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGAPI-6615846
snyk	https://github.com/golang/net/commit/ba872109ef2dc8f1da778651bd1fd3792d0e4587	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGAPI-6615846
snyk	https://github.com/golang/go/issues/65051	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGAPI-6615846
snyk	https://pkg.go.dev/vuln/GO-2024-2687	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGAPI-6615846
ubuntu	https://kb.cert.org/vuls/id/421644	https://ubuntu.com/security/CVE-2023-45288
ubuntu	https://go.dev/cl/576155	https://ubuntu.com/security/CVE-2023-45288
ubuntu	https://pkg.go.dev/vuln/GO-2024-2687	https://ubuntu.com/security/CVE-2023-45288
ubuntu	https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M	https://ubuntu.com/security/CVE-2023-45288
ubuntu	https://www.cve.org/CVERecord?id=CVE-2023-45288	https://ubuntu.com/security/CVE-2023-45288
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2023-45288	https://ubuntu.com/security/CVE-2023-45288
ubuntu	https://launchpad.net/bugs/cve/CVE-2023-45288	https://ubuntu.com/security/CVE-2023-45288
ubuntu	https://security-tracker.debian.org/tracker/CVE-2023-45288	https://ubuntu.com/security/CVE-2023-45288
ubuntu	https://go.dev/issue/65051	https://ubuntu.com/security/CVE-2023-45288
ubuntu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288	https://ubuntu.com/security/CVE-2023-45288

漏洞分析指导链接：
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

详情(点击展开)

影响的包	修复版本	修复补丁	问题引入补丁	来源
		https://github.com/golang/net/commit/ba872109ef2dc8f1da778651bd1fd3792d0e4587		snyk
		https://github.com/traefik/traefik/commit/099c7e9444a5d56918b8221672fc8d6a09a5d389		snyk

二、漏洞分析结构反馈
影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：
1.master(3.2.0):
2.openEuler-20.03-LTS-SP1:
3.openEuler-20.03-LTS-SP4:
4.openEuler-22.03-LTS:
5.openEuler-22.03-LTS-Next:
6.openEuler-22.03-LTS-SP1:
7.openEuler-22.03-LTS-SP2:
8.openEuler-22.03-LTS-SP3:
9.openEuler-24.03-LTS:
10.openEuler-24.03-LTS-Next:

修复是否涉及abi变化(是/否)：
1.master(3.2.0):
2.openEuler-20.03-LTS-SP1:
3.openEuler-20.03-LTS-SP4:
4.openEuler-22.03-LTS:
5.openEuler-22.03-LTS-Next:
6.openEuler-22.03-LTS-SP1:
7.openEuler-22.03-LTS-SP2:
8.openEuler-22.03-LTS-SP3:
9.openEuler-24.03-LTS:
10.openEuler-24.03-LTS-Next:

@fcwicky ,@yanan-rock ,@myeuler ,@love_hangzhou ,@forrest_ly ,@overweight ,@jingxiaolu ,@ethan848 ,@licihua ,@softkiller 
**issue处理注意事项:** 
**1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;**
**2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;**
**3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否))不能省略,省略后cve-manager将无法正常解析填写内容.**
************************************************************************
影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响): 
1.master(3.2.0):
2.openEuler-20.03-LTS-SP1:
3.openEuler-20.03-LTS-SP4:
4.openEuler-22.03-LTS:
5.openEuler-22.03-LTS-Next:
6.openEuler-22.03-LTS-SP1:
7.openEuler-22.03-LTS-SP2:
8.openEuler-22.03-LTS-SP3:
9.openEuler-24.03-LTS:
10.openEuler-24.03-LTS-Next:

修复是否涉及abi变化(是/否)：
1.master(3.2.0):
2.openEuler-20.03-LTS-SP1:
3.openEuler-20.03-LTS-SP4:
4.openEuler-22.03-LTS:
5.openEuler-22.03-LTS-Next:
6.openEuler-22.03-LTS-SP1:
7.openEuler-22.03-LTS-SP2:
8.openEuler-22.03-LTS-SP3:
9.openEuler-24.03-LTS:
10.openEuler-24.03-LTS-Next:

-----------------------------------------------------------------------
issue处理具体操作请参考: 
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

参考网址	关联pr	状态	补丁链接
https://ubuntu.com/security/CVE-2023-45288	None	None	https://discourse.ubuntu.com/c/ubuntu-pro
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-45288
https://security-tracker.debian.org/tracker/CVE-2023-45288	None	None	https://github.com/golang/go/commit/ae5913347d15cf7d1f218916c22717e5739a9ea3 https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b

说明：补丁链接仅供初步排查参考，实际可用性请人工再次确认，补丁下载验证可使用CVE补丁工具。
若补丁不准确，烦请在此issue下评论 '/report-patch 参考网址补丁链接1,补丁链接2' 反馈正确信息，便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

/reson CVE误报，CVE是go的CVE，非git-lfs

/lgtm
/approve

/reason

/reason 误报

issue状态	操作者	原因
已拒绝	overweight	误报

src-openEuler/git-lfs

内容风险标识

评论 (9)

src-openEuler/git-lfs .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2023-45288

评论 (9)

搜索帮助

src-openEuler/git-lfs