{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2017-08-09T00:00:00", "descriptions": [{"lang": "en", "value": "The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given \"maxMemory\" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-04T01:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://golang.org/issue/17965"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://golang.org/cl/30410"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2017-08-09", "ID": "CVE-2017-1000098", "REQUESTER": "kurt@seifried.org", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given \"maxMemory\" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://groups.google.com/forum/#!msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ", "refsource": "CONFIRM", "url": "https://groups.google.com/forum/#!msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ"}, {"name": "https://golang.org/issue/17965", "refsource": "CONFIRM", "url": "https://golang.org/issue/17965"}, {"name": "https://golang.org/cl/30410", "refsource": "CONFIRM", "url": "https://golang.org/cl/30410"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T21:53:06.809Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://golang.org/issue/17965"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://golang.org/cl/30410"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-1000098", "datePublished": "2017-10-04T01:00:00Z", "dateReserved": "2017-10-03T00:00:00Z", "dateUpdated": "2024-09-16T22:19:55.128Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "583AACA0-8F17-4903-B063-B1253BA95325", "versionEndExcluding": "1.6.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BA96926-E4F1-417B-8979-5956D23DD043", "versionEndExcluding": "1.7.4", "versionStartIncluding": "1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given \"maxMemory\" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors."}, {"lang": "es", "value": "El m\u00e9todo Request.ParseMultipartForm del paquete net/http empieza a escribir en archivos temporales una vez que el tama\u00f1o del cuerpo de la petici\u00f3n sobrepase el l\u00edmite \"maxMemory\" establecido. Un atacante podr\u00eda generar un petici\u00f3n multipart manipulada para que el servidor se quede sin descriptores de archivo."}], "id": "CVE-2017-1000098", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-05T01:29:03.977", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://golang.org/cl/30410"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://golang.org/issue/17965"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://golang.org/cl/30410"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://golang.org/issue/17965"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-769"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2017:1859", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "golang-0:1.8.3-1.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-08-01T00:00:00Z"}], "bugzilla": {"description": "golang: net/http: multipart ReadForm close file after copy", "id": "1401985", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1401985"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "verified"}, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "details": ["The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given \"maxMemory\" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors."], "name": "CVE-2017-1000098", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat OpenShift Enterprise 3"}, {"cpe": "cpe:/a:redhat:openstack-optools:10", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat OpenStack Platform 10 (Newton) Operational Tools"}, {"cpe": "cpe:/a:redhat:openstack-optools:8", "fix_state": "Will not fix", "package_name": "golang", "product_name": "Red Hat OpenStack Platform 8 (Liberty) Operational Tools"}, {"cpe": "cpe:/a:redhat:openstack-optools:9", "fix_state": "Will not fix", "package_name": "golang", "product_name": "Red Hat OpenStack Platform 9 (Mitaka) Operational Tools"}], "public_date": "2016-12-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-1000098\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000098\nhttps://groups.google.com/forum/#!msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ"], "threat_severity": "Moderate"}