CVE-2022-41723

About vulnerability

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

Affected product:

AlmaLinux 9.2 ESU , Azure/azure-event-hubs-go , Azure/azure-pipeline-go , Azure/azure-sdk-for-go/sdk/azcore , Azure/azure-sdk-for-go/sdk/azidentity , Azure/azure-sdk-for-go/sdk/internal , Azure/azure-storage-blob-go , Grafana , Joker/hpp , Loki , MinIO , TuxCare 9.6 ESU , WireGuard/wgctrl-go/wgctrl , apache/arrow , apache/arrow/go/arrow , aws/aws-sdk-go , aws/aws-sdk-go-v2 , bketelsen/crypt , census-instrumentation/opencensus-go , centrifugal/centrifuge , cloud.google.com/go , cloud.google.com/go/bigquery , cloud.google.com/go/firestore , cortexproject/cortex , cue.gerrithub/cue-lang/cue , cuelang.org/go , dgraph-io/badger , dhui/dktest , digitalocean/godo , elastic/apm-agent-go/module/apmhttp , elastic/apm-agent-go/module/apmot , ema/qdisc , etcd-io/etcd , etcd-io/etcd/server , getsentry/sentry-go , gin-gonic/gin , github.com/Azure/azure-event-hubs-go , github.com/Azure/azure-pipeline-go , github.com/Azure/azure-sdk-for-go/sdk/azcore , github.com/Azure/azure-sdk-for-go/sdk/azidentity , github.com/Azure/azure-sdk-for-go/sdk/internal , github.com/Azure/azure-storage-blob-go , github.com/Joker/hpp , github.com/Shopify/sarama , github.com/apache/arrow/go/arrow , github.com/aws/aws-sdk-go , github.com/aws/aws-sdk-go-v2 , github.com/bketelsen/crypt , github.com/centrifugal/centrifuge , github.com/cortexproject/cortex , github.com/deepmap/oapi-codegen , github.com/dgraph-io/badger , github.com/dhui/dktest , github.com/digitalocean/godo , github.com/ema/qdisc , github.com/getsentry/sentry-go , github.com/gin-gonic/gin , github.com/glinton/ping , github.com/go-kit/kit , github.com/go-openapi/analysis , github.com/go-openapi/jsonreference , github.com/go-openapi/loads , github.com/go-openapi/runtime , github.com/go-openapi/spec , github.com/go-openapi/validate , github.com/gogo/protobuf , github.com/golang-migrate/migrate , github.com/golang/mock , github.com/golang/protobuf , github.com/google/go-github , github.com/grafana/grafana-plugin-sdk-go , github.com/grpc-ecosystem/go-grpc-middleware , github.com/grpc-ecosystem/go-grpc-prometheus , github.com/grpc-ecosystem/grpc-gateway , github.com/hashicorp/consul , github.com/hashicorp/consul/api , github.com/hashicorp/go-discover , github.com/hashicorp/go-plugin , github.com/hashicorp/mdns , github.com/hashicorp/memberlist , github.com/hashicorp/serf , github.com/influxdata/flux , github.com/influxdata/influxdb , github.com/influxdata/influxdb-client-go , github.com/influxdata/telegraf , github.com/iris-contrib/jade , github.com/jaegertracing/jaeger , github.com/jcmturner/gokrb5 , github.com/jcmturner/rpc , github.com/jhump/protoreflect , github.com/jsimonetti/rtnetlink , github.com/kataras/iris , github.com/lightstep/lightstep-tracer-common/golang/gogo , github.com/lightstep/lightstep-tracer-go , github.com/mattn/go-ieproxy , github.com/mdlayher/genetlink , github.com/mdlayher/netlink , github.com/microcosm-cc/bluemonday , github.com/miekg/dns , github.com/onsi/ginkgo , github.com/onsi/gomega , github.com/opentracing-contrib/go-grpc , github.com/openzipkin-contrib/zipkin-go-opentracing , github.com/openzipkin/zipkin-go , github.com/prometheus/alertmanager , github.com/prometheus/client_golang , github.com/prometheus/common , github.com/prometheus/node_exporter , github.com/prometheus/prometheus , github.com/securego/gosec , github.com/soheilhy/cmux , github.com/spf13/cobra , github.com/spf13/viper , github.com/thanos-io/thanos , github.com/valyala/fasthttp , github.com/weaveworks/common , github.com/xanzy/go-gitlab , glinton/ping , go-kit/kit , go-openapi/analysis , go-openapi/jsonreference , go-openapi/loads , go-openapi/runtime , go-openapi/spec , go-openapi/validate , go.elastic.co/apm/module/apmhttp , go.elastic.co/apm/module/apmot , go.etcd.io/etcd , go.etcd.io/etcd/server , go.opencensus.io , go.opentelemetry.io/collector , gogo/protobuf , golang-migrate/migrate , golang.org/x/crypto , golang.org/x/mod , golang.org/x/net , golang.org/x/oauth2 , golang.org/x/tools , golang.zx2c4.com/wireguard , golang.zx2c4.com/wireguard/wgctrl , golang/appengine , golang/mock , golang/protobuf , google.golang.org/api , google.golang.org/appengine , google.golang.org/genproto , google.golang.org/grpc , google.golang.org/protobuf , googleapis/go-genproto , googleapis/google-api-go-client , googleapis/google-cloud-go , googleapis/google-cloud-go/bigquery , googleapis/google-cloud-go/firestore , googlesource/crypto , googlesource/mod , googlesource/net , googlesource/oauth2 , googlesource/protobuf , googlesource/tools , gopkg.in/macaron.v1 , grafana/grafana-plugin-sdk-go , grpc-ecosystem/go-grpc-middleware , grpc-ecosystem/go-grpc-prometheus , grpc-ecosystem/grpc-gateway , grpc/grpc-go , hashicorp/consul , hashicorp/consul/api , hashicorp/go-discover , hashicorp/go-plugin , hashicorp/mdns , hashicorp/memberlist , hashicorp/serf , influxdata/flux , influxdata/influxdb , influxdata/influxdb-client-go , influxdata/telegraf , iris-contrib/jade , jaegertracing/jaeger , jcmturner/gokrb5 , jcmturner/rpc , jhump/protoreflect , jsimonetti/rtnetlink , k8s.io/api , k8s.io/apimachinery , k8s.io/client-go , k8s.io/kube-openapi , kataras/iris , kubernetes/api , kubernetes/apimachinery , kubernetes/client-go , kubernetes/kube-openapi , lightstep/lightstep-tracer-common/golang/gogo , lightstep/lightstep-tracer-go , mattn/go-ieproxy , mdlayher/genetlink , mdlayher/netlink , microcosm-cc/bluemonday , miekg/dns , onsi/ginkgo , onsi/gomega , open-telemetry/opentelemetry-collector , opentracing-contrib/go-grpc , openzipkin-contrib/zipkin-go-opentracing , openzipkin/zipkin-go , prometheus/alertmanager , prometheus/client_golang , prometheus/common , prometheus/node_exporter , prometheus/prometheus , securego/gosec , soheilhy/cmux , spf13/cobra , spf13/viper , thanos-io/thanos , valyala/fasthttp , weaveworks/common , xanzy/go-gitlab , zx2c4/wireguard-go

Affected packages:

google.golang.org/grpc @ 1.36.0 (+265 more)

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.