CVE-2017-1000098.json

{
  "id": "CVE-2017-1000098",
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "published": "2017-10-05T01:29:03.977000",
  "lastModified": "2023-11-07T02:37:54.203000",
  "evaluatorComment": null,
  "evaluatorSolution": null,
  "evaluatorImpact": null,
  "cisaExploitAdd": null,
  "cisaActionDue": null,
  "cisaRequiredAction": null,
  "cisaVulnerabilityName": null,
  "descriptions": [
    {
      "lang": "en",
      "value": "The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given \"maxMemory\" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors."
    },
    {
      "lang": "es",
      "value": "El método Request.ParseMultipartForm del paquete net/http empieza a escribir en archivos temporales una vez que el tamaño del cuerpo de la petición sobrepase el límite \"maxMemory\" establecido. Un atacante podría generar un petición multipart manipulada para que el servidor se quede sin descriptores de archivo."
    }
  ],
  "references": [
    {
      "url": "https://golang.org/cl/30410",
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ]
    },
    {
      "url": "https://golang.org/issue/17965",
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ]
    },
    {
      "url": "https://groups.google.com/forum/#%21msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ",
      "source": "cve@mitre.org",
      "tags": null
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "exploitCodeMaturity": null,
          "remediationLevel": null,
          "reportConfidence": null,
          "temporalScore": null,
          "temporalSeverity": null,
          "confidentialityRequirement": null,
          "integrityRequirement": null,
          "availabilityRequirement": null,
          "modifiedAttackVector": null,
          "modifiedAttackComplexity": null,
          "modifiedPrivilegesRequired": null,
          "modifiedUserInteraction": null,
          "modifiedScope": null,
          "modifiedConfidentialityImpact": null,
          "modifiedIntegrityImpact": null,
          "modifiedAvailabilityImpact": null,
          "environmentalScore": null,
          "environmentalSeverity": null
        },
        "baseSeverity": null,
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "acInsufInfo": null,
        "obtainAllPrivilege": null,
        "obtainUserPrivilege": null,
        "obtainOtherPrivilege": null,
        "userInteractionRequired": null
      }
    ],
    "cvssMetricV30": null,
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "exploitability": null,
          "remediationLevel": null,
          "reportConfidence": null,
          "temporalScore": null,
          "collateralDamagePotential": null,
          "targetDistribution": null,
          "confidentialityRequirement": null,
          "integrityRequirement": null,
          "availabilityRequirement": null,
          "environmentalScore": null
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-769"
        }
      ]
    }
  ],
  "configurations": [
    {
      "operator": null,
      "negate": null,
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "583AACA0-8F17-4903-B063-B1253BA95325",
              "versionStartExcluding": null,
              "versionStartIncluding": null,
              "versionEndExcluding": "1.6.4",
              "versionEndIncluding": null
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6BA96926-E4F1-417B-8979-5956D23DD043",
              "versionStartExcluding": null,
              "versionStartIncluding": "1.7",
              "versionEndExcluding": "1.7.4",
              "versionEndIncluding": null
            }
          ]
        }
      ]
    }
  ],
  "vendorComments": null
}