Vulnerability CVE-2023-45290: Information

Description

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-45290
Published: March 6, 2024
Modified: May 1, 2024

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
golangsisyphus1.22.1-alt11.22.3-alt1ALT-PU-2024-3506-1342122Fixed
golangsisyphus_riscv641.22.1-alt11.22.3-alt1ALT-PU-2024-4203-1-Fixed
golangsisyphus_loongarch641.22.1-alt11.22.3-alt1ALT-PU-2024-3594-1-Fixed
golangp101.21.8-alt11.21.10-alt1ALT-PU-2024-3504-2342123Fixed
golangc10f11.21.8-alt11.21.10-alt1ALT-PU-2024-4847-5343662Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://go.dev/issue/65383
    https://go.dev/cl/569341
      https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
        https://pkg.go.dev/vuln/GO-2024-2599
          https://security.netapp.com/advisory/ntap-20240329-0004/
            http://www.openwall.com/lists/oss-security/2024/03/08/4
              VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
              Version: v24.5.1
              Back to top