VDB
RHSA-2023%3A2728
RHSA-2023%3A2728
PUBLISHED
CVSS 5.300000190734863 MEDIUM
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Risk Scores
CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | rhosdt/tempo-rhel8-operator@sha256:7a9e324e998eec2a60300b21a2bba25bfef6403177163d3925cf9167d9bc8fe8_ppc64le as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/tempo-rhel8-operator@sha256:7a9e324e998eec2a60300b21a2bba25bfef6403177163d3925cf9167d9bc8fe8_ppc64le |
| Red Hat | rhosdt/jaeger-all-in-one-rhel8@sha256:251e1a11abbb91bf0316c27242cc5f965f276dfecb388c19f9dfd93bc894622b_s390x as a component of Red Hat OpenShift distributed tracing 2.8 | * |
| Red Hat | rhosdt/tempo-rhel8-operator@sha256:f4835973248c4cc72ec1fcf6a2bfed9903bd857cfc56df123a6ab6a331a5522f_amd64 as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/tempo-rhel8-operator@sha256:f4835973248c4cc72ec1fcf6a2bfed9903bd857cfc56df123a6ab6a331a5522f_amd64 |
| Red Hat | rhosdt/jaeger-ingester-rhel8@sha256:8713a0e37285d6e5c7133221c07dcf4012d832bd47bf6657829fbfa4add1d049_amd64 as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/jaeger-ingester-rhel8@sha256:8713a0e37285d6e5c7133221c07dcf4012d832bd47bf6657829fbfa4add1d049_amd64 |
| Red Hat | rhosdt/jaeger-agent-rhel8@sha256:b689645b06be8513d1960c4431ada2f7615d72cdc5df43adac38bd161b266a25_amd64 as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/jaeger-agent-rhel8@sha256:b689645b06be8513d1960c4431ada2f7615d72cdc5df43adac38bd161b266a25_amd64 |
| Red Hat | rhosdt/jaeger-agent-rhel8@sha256:b689645b06be8513d1960c4431ada2f7615d72cdc5df43adac38bd161b266a25_amd64 as a component of Red Hat OpenShift distributed tracing 2.8 | * |
| Red Hat | rhosdt/jaeger-query-rhel8@sha256:c6cb58f3440abb96c0ad5d3837131836cd8cd0b0e30582bf6fecdd2ec7f23fb5_amd64 as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/jaeger-query-rhel8@sha256:c6cb58f3440abb96c0ad5d3837131836cd8cd0b0e30582bf6fecdd2ec7f23fb5_amd64 |
| Red Hat | rhosdt/jaeger-all-in-one-rhel8@sha256:e4bb5f4ec8077fd88d504bbdf9dc776011ec4bb459a6f8716c26ab0e62cbf70e_amd64 as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/jaeger-all-in-one-rhel8@sha256:e4bb5f4ec8077fd88d504bbdf9dc776011ec4bb459a6f8716c26ab0e62cbf70e_amd64 |
| Red Hat | rhosdt/jaeger-all-in-one-rhel8@sha256:0b20755ee5537736b1fe1371bd0052a48cafe921c49019bb9b370ec2973fa08d_ppc64le as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/jaeger-all-in-one-rhel8@sha256:0b20755ee5537736b1fe1371bd0052a48cafe921c49019bb9b370ec2973fa08d_ppc64le |
| Red Hat | rhosdt/jaeger-collector-rhel8@sha256:b8f0ecc3f3f5e6ef95795b5d6e4c1101ac262798bc7f98d88a4d72c9bb8df2de_s390x as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/jaeger-collector-rhel8@sha256:b8f0ecc3f3f5e6ef95795b5d6e4c1101ac262798bc7f98d88a4d72c9bb8df2de_s390x |
| Red Hat | rhosdt/jaeger-query-rhel8@sha256:0fb36c45aeaf6ce09946a3bc90637a1d9a118f3d86c950105a916263de49501e_ppc64le as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/jaeger-query-rhel8@sha256:0fb36c45aeaf6ce09946a3bc90637a1d9a118f3d86c950105a916263de49501e_ppc64le |
| Red Hat | rhosdt/jaeger-es-index-cleaner-rhel8@sha256:1ad7cb4a53bba1ce64294865f2ea98bea7e12abc8b2ce3fb929b4ac6c7a9e534_s390x as a component of Red Hat OpenShift distributed tracing 2.8 | * |
| Red Hat | rhosdt/jaeger-rhel8-operator@sha256:69b565bd59f81777c857981508eaa4a177a8d1a0ffb96507758cde425681e36e_ppc64le as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/jaeger-rhel8-operator@sha256:69b565bd59f81777c857981508eaa4a177a8d1a0ffb96507758cde425681e36e_ppc64le |
| Red Hat | rhosdt/tempo-gateway-rhel8@sha256:5750eddfc102b827318e8a916ba96d0c07dc0ff57aee73b63f1b8ff430865e6b_amd64 as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/tempo-gateway-rhel8@sha256:5750eddfc102b827318e8a916ba96d0c07dc0ff57aee73b63f1b8ff430865e6b_amd64 |
| Red Hat | rhosdt/jaeger-es-rollover-rhel8@sha256:75b3492d01d93b5f14dd8b8cae913f4c9a379cde9738b16b653f17065f461004_amd64 as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/jaeger-es-rollover-rhel8@sha256:75b3492d01d93b5f14dd8b8cae913f4c9a379cde9738b16b653f17065f461004_amd64 |
| Red Hat | rhosdt/opentelemetry-collector-rhel8@sha256:00416535e7d8201734bf0f7d7f3279c064eb1311b8d64b89784622a05bc65244_amd64 as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/opentelemetry-collector-rhel8@sha256:00416535e7d8201734bf0f7d7f3279c064eb1311b8d64b89784622a05bc65244_amd64 |
| Red Hat | rhosdt/jaeger-query-rhel8@sha256:104db728c93ca8fd7a3abd8889e6a0d1ec4db34ea6e2d4350dba029651adeb17_s390x as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/jaeger-query-rhel8@sha256:104db728c93ca8fd7a3abd8889e6a0d1ec4db34ea6e2d4350dba029651adeb17_s390x |
| Red Hat | rhosdt/jaeger-collector-rhel8@sha256:ff04f6b0953c885bac0b58c0373eef52cc667901df03ecf40568c30132d46f31_ppc64le as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/jaeger-collector-rhel8@sha256:ff04f6b0953c885bac0b58c0373eef52cc667901df03ecf40568c30132d46f31_ppc64le |
| Red Hat | rhosdt/jaeger-rhel8-operator@sha256:45aa2c351ee0e9cc8bbcb2cdedd6e673f3196464529a44be6ec74cc150eb6751_amd64 as a component of Red Hat OpenShift distributed tracing 2.8 | * |
| Red Hat | rhosdt/tempo-gateway-rhel8@sha256:5750eddfc102b827318e8a916ba96d0c07dc0ff57aee73b63f1b8ff430865e6b_amd64 as a component of Red Hat OpenShift distributed tracing 2.8 | rhosdt/tempo-gateway-rhel8@sha256:5750eddfc102b827318e8a916ba96d0c07dc0ff57aee73b63f1b8ff430865e6b_amd64 |
…and 64 more
Timeline
- May 10, 2023 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 30, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2023:2728 advisory
- https://access.redhat.com/security/updates/classification/#moderate advisory
- https://access.redhat.com/containers advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2161274 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2728.json advisory
- https://access.redhat.com/security/cve/CVE-2022-41717 advisory
- https://www.cve.org/CVERecord?id=CVE-2022-41717 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2022-41717 advisory
- https://go.dev/cl/455635 advisory
- https://go.dev/cl/455717 advisory
- https://go.dev/issue/56350 advisory
- https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ advisory
- https://pkg.go.dev/vuln/GO-2022-1144 advisory