CVE-2021-44716

Public on 2022-01-01

Modified on 2023-01-18

Description

There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.

Severity

Important

See what this means

CVSS v3 Base Score

7.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	golang	2022-04-25 15:59	ALAS-2022-1583
Amazon Linux 2 - Core	golang	2022-04-25 03:47	ALAS2-2022-1776
Amazon Linux 2 - Core	golang	2022-07-06 03:11	ALAS2-2022-1811
Amazon Linux 2023	golang	2023-02-17 20:45	ALAS2023-2023-048

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD	CVSSv2	5.0	AV:N/AC:L/Au:N/C:N/I:N/A:P
NVD	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2021-44716 Mitre: CVE-2021-44716 FAQs regarding Amazon Linux ALAS/CVE Severity