Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-24536

Published: 6 April 2023

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
golang-1.20
Launchpad, Ubuntu, Debian
jammy Not vulnerable
(1.20.3-1ubuntu0.1~22.04)
xenial Ignored
(end of standard support)
focal Not vulnerable
(1.20.3-1ubuntu0.1~20.04)
bionic Does not exist

kinetic Does not exist

trusty Ignored
(end of standard support)
upstream
Released (1.20.3-1)
lunar Not vulnerable
(1.20.3-1)
mantic Not vulnerable
(1.20.3-1)
Patches:

upstream: https://github.com/golang/go/commit/bf8c7c575c8a552d9d79deb29e80854dc88528d0
golang-1.13
Launchpad, Ubuntu, Debian
kinetic Ignored
(end of life, was needed)
bionic Needed

focal Needed

jammy Needed

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needed

lunar Does not exist

mantic Does not exist

golang-1.17
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

jammy Needed

kinetic Does not exist

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Ignored
(end of standard support)
lunar Does not exist

mantic Does not exist

golang-1.18
Launchpad, Ubuntu, Debian
bionic Needed

xenial Needed

focal Needed

jammy Needed

kinetic Does not exist

trusty Ignored
(end of standard support)
upstream Needs triage

lunar Does not exist

mantic Does not exist

golang-1.19
Launchpad, Ubuntu, Debian
kinetic Ignored
(end of life, was needed)
bionic Does not exist

focal Does not exist

jammy Does not exist

trusty Ignored
(end of standard support)
upstream
Released (1.19.8-1)
xenial Ignored
(end of standard support)
lunar Not vulnerable
(1.19.8-1)
mantic Does not exist

Patches:
upstream: https://github.com/golang/go/commit/7917b5f31204528ea72e0629f0b7d52b35b27538

golang-1.16
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

jammy Does not exist

trusty Ignored
(end of standard support)
xenial Ignored
(end of standard support)
kinetic Does not exist

upstream Needs triage

lunar Does not exist

mantic Does not exist

golang-1.10
Launchpad, Ubuntu, Debian
bionic Needed

focal Does not exist

jammy Does not exist

kinetic Does not exist

trusty Needed

upstream Needs triage

xenial Needed

lunar Does not exist

mantic Does not exist

golang-1.14
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Needed

jammy Does not exist

kinetic Does not exist

trusty Ignored
(end of standard support)
upstream Needed

xenial Ignored
(end of standard support)
lunar Does not exist

mantic Does not exist

golang-1.6
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

jammy Does not exist

kinetic Does not exist

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needed

lunar Does not exist

mantic Does not exist

golang-1.8
Launchpad, Ubuntu, Debian
bionic Needed

focal Does not exist

jammy Does not exist

kinetic Does not exist

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Ignored
(end of standard support)
lunar Does not exist

mantic Does not exist

golang-1.9
Launchpad, Ubuntu, Debian
bionic Needed

focal Does not exist

jammy Does not exist

kinetic Does not exist

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Ignored
(end of standard support)
lunar Does not exist

mantic Does not exist

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H