FreeBSD: VID-3D73E384-AD1F-11ED-983C-83FE35862E3A (CVE-2022-41724): go -- multiple vulnerabilities

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-3D73E384-AD1F-11ED-983C-83FE35862E3A:

The Go project reports:

path/filepath: path traversal in filepath.Clean on Windows

On Windows, the filepath.Clean function could transform

an invalid path such as a/../c:/b into the valid path

c:\b. This transformation of a relative (if invalid)

path into an absolute path could enable a directory

traversal attack. The filepath.Clean function will now

transform this path into the relative (but still

invalid) path .\c:\b.

net/http, mime/multipart: denial of service from excessive

resource consumption

Multipart form parsing with

mime/multipart.Reader.ReadForm can consume largely

unlimited amounts of memory and disk files. This also

affects form parsing in the net/http package with the

Request methods FormFile, FormValue, ParseMultipartForm,

and PostFormValue.

crypto/tls: large handshake records may cause panics

Both clients and servers may send large TLS handshake

records which cause servers and clients,

respectively, to panic when attempting to construct responses.

net/http: avoid quadratic complexity in HPACK decoding

A maliciously crafted HTTP/2 stream could cause

excessive CPU consumption in the HPACK decoder,

sufficient to cause a denial of service from a small

number of small requests.