Vulnerability-Lookup

MSRC_CVE-2022-41717

Vulnerability from csaf_microsoft - Published: 2022-12-02 00:00 - Updated: 2024-12-03 00:00
Summary
Excessive memory growth in net/http and golang.org/x/net/http2
Notes
Additional Resources
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer
The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
JSON
To clipboard
{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2022-41717 Excessive memory growth in net/http and golang.org/x/net/http2 - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-41717.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Excessive memory growth in net/http and golang.org/x/net/http2",
    "tracking": {
      "current_release_date": "2024-12-03T00:00:00.000Z",
      "generator": {
        "date": "2025-12-27T17:18:56.825Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2022-41717",
      "initial_release_date": "2022-12-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-12-13T00:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2024-01-24T00:00:00.000Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Added sriov-network-device-plugin to CBL-Mariner 2.0"
        },
        {
          "date": "2024-02-12T00:00:00.000Z",
          "legacy_version": "1.2",
          "number": "3",
          "summary": "Added nmi to CBL-Mariner 2.0"
        },
        {
          "date": "2024-04-11T00:00:00.000Z",
          "legacy_version": "1.3",
          "number": "4",
          "summary": "Added cri-o to CBL-Mariner 2.0"
        },
        {
          "date": "2024-06-30T07:00:00.000Z",
          "legacy_version": "1.4",
          "number": "5",
          "summary": "Information published."
        },
        {
          "date": "2024-09-06T00:00:00.000Z",
          "legacy_version": "1.5",
          "number": "6",
          "summary": "Information published."
        },
        {
          "date": "2024-09-07T00:00:00.000Z",
          "legacy_version": "1.6",
          "number": "7",
          "summary": "Information published."
        },
        {
          "date": "2024-09-08T00:00:00.000Z",
          "legacy_version": "1.7",
          "number": "8",
          "summary": "Information published."
        },
        {
          "date": "2024-09-11T00:00:00.000Z",
          "legacy_version": "1.8",
          "number": "9",
          "summary": "Information published."
        },
        {
          "date": "2024-10-05T00:00:00.000Z",
          "legacy_version": "1.9",
          "number": "10",
          "summary": "Information published."
        },
        {
          "date": "2024-10-16T00:00:00.000Z",
          "legacy_version": "2",
          "number": "11",
          "summary": "Added prometheus to CBL-Mariner 2.0\nAdded containerized-data-importer to CBL-Mariner 2.0\nAdded azcopy to CBL-Mariner 2.0\nAdded cri-o to CBL-Mariner 2.0\nAdded moby-cli to CBL-Mariner 2.0\nAdded nmi to CBL-Mariner 2.0\nAdded sriov-network-device-plugin to CBL-Mariner 2.0\nAdded golang to CBL-Mariner 2.0\nAdded moby-engine to Azure Linux 3.0\nAdded sriov-network-device-plugin to Azure Linux 3.0\nAdded prometheus to Azure Linux 3.0\nAdded golang to CBL-Mariner 1.0"
        },
        {
          "date": "2024-12-03T00:00:00.000Z",
          "legacy_version": "2.1",
          "number": "12",
          "summary": "Added containerized-data-importer to CBL-Mariner 2.0\nAdded prometheus to CBL-Mariner 2.0\nAdded azcopy to CBL-Mariner 2.0\nAdded cri-o to CBL-Mariner 2.0\nAdded moby-cli to CBL-Mariner 2.0\nAdded nmi to CBL-Mariner 2.0\nAdded sriov-network-device-plugin to CBL-Mariner 2.0\nAdded golang to CBL-Mariner 2.0\nAdded moby-engine to Azure Linux 3.0\nAdded sriov-network-device-plugin to Azure Linux 3.0\nAdded prometheus to Azure Linux 3.0\nAdded golang to CBL-Mariner 1.0"
        }
      ],
      "status": "final",
      "version": "12"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              },
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              },
              {
                "category": "product_version",
                "name": "1.0",
                "product": {
                  "name": "CBL Mariner 1.0",
                  "product_id": "16820"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 prometheus 2.37.0-15",
                "product": {
                  "name": "\u003ccbl2 prometheus 2.37.0-15",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 prometheus 2.37.0-15",
                "product": {
                  "name": "cbl2 prometheus 2.37.0-15",
                  "product_id": "20327"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 prometheus 2.37.0-11",
                "product": {
                  "name": "\u003cazl3 prometheus 2.37.0-11",
                  "product_id": "7"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 prometheus 2.37.0-11",
                "product": {
                  "name": "azl3 prometheus 2.37.0-11",
                  "product_id": "20094"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 prometheus 2.37.9-1",
                "product": {
                  "name": "\u003ccbl2 prometheus 2.37.9-1",
                  "product_id": "34"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 prometheus 2.37.9-1",
                "product": {
                  "name": "cbl2 prometheus 2.37.9-1",
                  "product_id": "17409"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 prometheus 2.45.4-1",
                "product": {
                  "name": "\u003cazl3 prometheus 2.45.4-1",
                  "product_id": "29"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 prometheus 2.45.4-1",
                "product": {
                  "name": "azl3 prometheus 2.45.4-1",
                  "product_id": "18125"
                }
              }
            ],
            "category": "product_name",
            "name": "prometheus"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 sriov-network-device-plugin 3.5.1-3",
                "product": {
                  "name": "\u003ccbl2 sriov-network-device-plugin 3.5.1-3",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 sriov-network-device-plugin 3.5.1-3",
                "product": {
                  "name": "cbl2 sriov-network-device-plugin 3.5.1-3",
                  "product_id": "20308"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 sriov-network-device-plugin 3.5.1-3",
                "product": {
                  "name": "\u003cazl3 sriov-network-device-plugin 3.5.1-3",
                  "product_id": "5"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 sriov-network-device-plugin 3.5.1-3",
                "product": {
                  "name": "azl3 sriov-network-device-plugin 3.5.1-3",
                  "product_id": "20235"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 sriov-network-device-plugin 3.6.2-2",
                "product": {
                  "name": "\u003ccbl2 sriov-network-device-plugin 3.6.2-2",
                  "product_id": "25"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 sriov-network-device-plugin 3.6.2-2",
                "product": {
                  "name": "cbl2 sriov-network-device-plugin 3.6.2-2",
                  "product_id": "18525"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 sriov-network-device-plugin 3.7.0-1",
                "product": {
                  "name": "\u003cazl3 sriov-network-device-plugin 3.7.0-1",
                  "product_id": "22"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 sriov-network-device-plugin 3.7.0-1",
                "product": {
                  "name": "azl3 sriov-network-device-plugin 3.7.0-1",
                  "product_id": "18528"
                }
              }
            ],
            "category": "product_name",
            "name": "sriov-network-device-plugin"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 nmi 1.8.11-2",
                "product": {
                  "name": "\u003ccbl2 nmi 1.8.11-2",
                  "product_id": "8"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 nmi 1.8.11-2",
                "product": {
                  "name": "cbl2 nmi 1.8.11-2",
                  "product_id": "20023"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 nmi 1.8.17-1",
                "product": {
                  "name": "\u003ccbl2 nmi 1.8.17-1",
                  "product_id": "26"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 nmi 1.8.17-1",
                "product": {
                  "name": "cbl2 nmi 1.8.17-1",
                  "product_id": "18524"
                }
              }
            ],
            "category": "product_name",
            "name": "nmi"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cazl3 moby-engine 20.10.25-3",
                "product": {
                  "name": "\u003cazl3 moby-engine 20.10.25-3",
                  "product_id": "30"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 moby-engine 20.10.25-3",
                "product": {
                  "name": "azl3 moby-engine 20.10.25-3",
                  "product_id": "17964"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 moby-engine 25.0.3-1",
                "product": {
                  "name": "\u003cazl3 moby-engine 25.0.3-1",
                  "product_id": "31"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 moby-engine 25.0.3-1",
                "product": {
                  "name": "azl3 moby-engine 25.0.3-1",
                  "product_id": "17814"
                }
              }
            ],
            "category": "product_name",
            "name": "moby-engine"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 golang 1.17.13-2",
                "product": {
                  "name": "\u003ccbl2 golang 1.17.13-2",
                  "product_id": "15"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 golang 1.17.13-2",
                "product": {
                  "name": "cbl2 golang 1.17.13-2",
                  "product_id": "19778"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 golang 1.18.8-7",
                "product": {
                  "name": "\u003ccbl2 golang 1.18.8-7",
                  "product_id": "14"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 golang 1.18.8-7",
                "product": {
                  "name": "cbl2 golang 1.18.8-7",
                  "product_id": "19785"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccm1 golang 1.18.8-2",
                "product": {
                  "name": "\u003ccm1 golang 1.18.8-2",
                  "product_id": "27"
                }
              },
              {
                "category": "product_version",
                "name": "cm1 golang 1.18.8-2",
                "product": {
                  "name": "cm1 golang 1.18.8-2",
                  "product_id": "18523"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 golang 1.21.6-1",
                "product": {
                  "name": "\u003ccbl2 golang 1.21.6-1",
                  "product_id": "36"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 golang 1.21.6-1",
                "product": {
                  "name": "cbl2 golang 1.21.6-1",
                  "product_id": "17375"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 golang 1.17.13-2,1.18.8-2,1.21.6-1",
                "product": {
                  "name": "\u003cazl3 golang 1.17.13-2,1.18.8-2,1.21.6-1",
                  "product_id": "21"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 golang 1.17.13-2,1.18.8-2,1.21.6-1",
                "product": {
                  "name": "azl3 golang 1.17.13-2,1.18.8-2,1.21.6-1",
                  "product_id": "18529"
                }
              }
            ],
            "category": "product_name",
            "name": "golang"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 moby-cli 24.0.9-1",
                "product": {
                  "name": "\u003ccbl2 moby-cli 24.0.9-1",
                  "product_id": "24"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 moby-cli 24.0.9-1",
                "product": {
                  "name": "cbl2 moby-cli 24.0.9-1",
                  "product_id": "18526"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 moby-cli 20.10.27-5",
                "product": {
                  "name": "\u003ccbl2 moby-cli 20.10.27-5",
                  "product_id": "13"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 moby-cli 20.10.27-5",
                "product": {
                  "name": "cbl2 moby-cli 20.10.27-5",
                  "product_id": "19790"
                }
              }
            ],
            "category": "product_name",
            "name": "moby-cli"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 gh 2.13.0-2",
                "product": {
                  "name": "\u003ccbl2 gh 2.13.0-2",
                  "product_id": "23"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 gh 2.13.0-2",
                "product": {
                  "name": "cbl2 gh 2.13.0-2",
                  "product_id": "18527"
                }
              }
            ],
            "category": "product_name",
            "name": "gh"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 containerized-data-importer 1.55.0-20",
                "product": {
                  "name": "\u003ccbl2 containerized-data-importer 1.55.0-20",
                  "product_id": "35"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 containerized-data-importer 1.55.0-20",
                "product": {
                  "name": "cbl2 containerized-data-importer 1.55.0-20",
                  "product_id": "17401"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 containerized-data-importer 1.55.0-23",
                "product": {
                  "name": "\u003ccbl2 containerized-data-importer 1.55.0-23",
                  "product_id": "12"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 containerized-data-importer 1.55.0-23",
                "product": {
                  "name": "cbl2 containerized-data-importer 1.55.0-23",
                  "product_id": "19821"
                }
              }
            ],
            "category": "product_name",
            "name": "containerized-data-importer"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 azcopy 10.24.0-1",
                "product": {
                  "name": "\u003ccbl2 azcopy 10.24.0-1",
                  "product_id": "33"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 azcopy 10.24.0-1",
                "product": {
                  "name": "cbl2 azcopy 10.24.0-1",
                  "product_id": "17426"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 azcopy 10.15.0-15",
                "product": {
                  "name": "\u003ccbl2 azcopy 10.15.0-15",
                  "product_id": "6"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 azcopy 10.15.0-15",
                "product": {
                  "name": "cbl2 azcopy 10.15.0-15",
                  "product_id": "20110"
                }
              }
            ],
            "category": "product_name",
            "name": "azcopy"
          },
          {
            "category": "product_name",
            "name": "cbl2 csi-driver-lvm 0.4.1-17",
            "product": {
              "name": "cbl2 csi-driver-lvm 0.4.1-17",
              "product_id": "4"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 jx 3.2.236-21",
            "product": {
              "name": "cbl2 jx 3.2.236-21",
              "product_id": "18"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 prometheus-adapter 0.10.0-17",
            "product": {
              "name": "cbl2 prometheus-adapter 0.10.0-17",
              "product_id": "9"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 terraform 1.3.2-25",
            "product": {
              "name": "cbl2 terraform 1.3.2-25",
              "product_id": "10"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 gcc 13.2.0-7",
            "product": {
              "name": "azl3 gcc 13.2.0-7",
              "product_id": "28"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 tensorflow 2.11.1-2",
            "product": {
              "name": "cbl2 tensorflow 2.11.1-2",
              "product_id": "20"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 tensorflow 2.16.1-9",
            "product": {
              "name": "azl3 tensorflow 2.16.1-9",
              "product_id": "32"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 cri-o 1.21.7-3",
            "product": {
              "name": "cbl2 cri-o 1.21.7-3",
              "product_id": "11"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 influx-cli 2.6.1-17",
            "product": {
              "name": "cbl2 influx-cli 2.6.1-17",
              "product_id": "1"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 msft-golang 1.24.1-2",
            "product": {
              "name": "cbl2 msft-golang 1.24.1-2",
              "product_id": "16"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 python-tensorboard 2.16.2-6",
            "product": {
              "name": "azl3 python-tensorboard 2.16.2-6",
              "product_id": "19"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 golang 1.24.3-1",
            "product": {
              "name": "azl3 golang 1.24.3-1",
              "product_id": "17"
            }
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 csi-driver-lvm 0.4.1-17 as a component of CBL Mariner 2.0",
          "product_id": "17086-4"
        },
        "product_reference": "4",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 jx 3.2.236-21 as a component of CBL Mariner 2.0",
          "product_id": "17086-18"
        },
        "product_reference": "18",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 prometheus 2.37.0-15 as a component of CBL Mariner 2.0",
          "product_id": "17086-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 prometheus 2.37.0-15 as a component of CBL Mariner 2.0",
          "product_id": "20327-17086"
        },
        "product_reference": "20327",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 prometheus-adapter 0.10.0-17 as a component of CBL Mariner 2.0",
          "product_id": "17086-9"
        },
        "product_reference": "9",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 sriov-network-device-plugin 3.5.1-3 as a component of CBL Mariner 2.0",
          "product_id": "17086-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 sriov-network-device-plugin 3.5.1-3 as a component of CBL Mariner 2.0",
          "product_id": "20308-17086"
        },
        "product_reference": "20308",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 terraform 1.3.2-25 as a component of CBL Mariner 2.0",
          "product_id": "17086-10"
        },
        "product_reference": "10",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 nmi 1.8.11-2 as a component of CBL Mariner 2.0",
          "product_id": "17086-8"
        },
        "product_reference": "8",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 nmi 1.8.11-2 as a component of CBL Mariner 2.0",
          "product_id": "20023-17086"
        },
        "product_reference": "20023",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 gcc 13.2.0-7 as a component of Azure Linux 3.0",
          "product_id": "17084-28"
        },
        "product_reference": "28",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 moby-engine 20.10.25-3 as a component of Azure Linux 3.0",
          "product_id": "17084-30"
        },
        "product_reference": "30",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 moby-engine 20.10.25-3 as a component of Azure Linux 3.0",
          "product_id": "17964-17084"
        },
        "product_reference": "17964",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 prometheus 2.37.0-11 as a component of Azure Linux 3.0",
          "product_id": "17084-7"
        },
        "product_reference": "7",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 prometheus 2.37.0-11 as a component of Azure Linux 3.0",
          "product_id": "20094-17084"
        },
        "product_reference": "20094",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 sriov-network-device-plugin 3.5.1-3 as a component of Azure Linux 3.0",
          "product_id": "17084-5"
        },
        "product_reference": "5",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 sriov-network-device-plugin 3.5.1-3 as a component of Azure Linux 3.0",
          "product_id": "20235-17084"
        },
        "product_reference": "20235",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 golang 1.17.13-2 as a component of CBL Mariner 2.0",
          "product_id": "17086-15"
        },
        "product_reference": "15",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 golang 1.17.13-2 as a component of CBL Mariner 2.0",
          "product_id": "19778-17086"
        },
        "product_reference": "19778",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 golang 1.18.8-7 as a component of CBL Mariner 2.0",
          "product_id": "17086-14"
        },
        "product_reference": "14",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 golang 1.18.8-7 as a component of CBL Mariner 2.0",
          "product_id": "19785-17086"
        },
        "product_reference": "19785",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 tensorflow 2.11.1-2 as a component of CBL Mariner 2.0",
          "product_id": "17086-20"
        },
        "product_reference": "20",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 tensorflow 2.16.1-9 as a component of Azure Linux 3.0",
          "product_id": "17084-32"
        },
        "product_reference": "32",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 cri-o 1.21.7-3 as a component of CBL Mariner 2.0",
          "product_id": "17086-11"
        },
        "product_reference": "11",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccm1 golang 1.18.8-2 as a component of CBL Mariner 1.0",
          "product_id": "16820-27"
        },
        "product_reference": "27",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cm1 golang 1.18.8-2 as a component of CBL Mariner 1.0",
          "product_id": "18523-16820"
        },
        "product_reference": "18523",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 golang 1.21.6-1 as a component of CBL Mariner 2.0",
          "product_id": "17086-36"
        },
        "product_reference": "36",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 golang 1.21.6-1 as a component of CBL Mariner 2.0",
          "product_id": "17375-17086"
        },
        "product_reference": "17375",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 nmi 1.8.17-1 as a component of CBL Mariner 2.0",
          "product_id": "17086-26"
        },
        "product_reference": "26",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 nmi 1.8.17-1 as a component of CBL Mariner 2.0",
          "product_id": "18524-17086"
        },
        "product_reference": "18524",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 sriov-network-device-plugin 3.6.2-2 as a component of CBL Mariner 2.0",
          "product_id": "17086-25"
        },
        "product_reference": "25",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 sriov-network-device-plugin 3.6.2-2 as a component of CBL Mariner 2.0",
          "product_id": "18525-17086"
        },
        "product_reference": "18525",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 prometheus 2.37.9-1 as a component of CBL Mariner 2.0",
          "product_id": "17086-34"
        },
        "product_reference": "34",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 prometheus 2.37.9-1 as a component of CBL Mariner 2.0",
          "product_id": "17409-17086"
        },
        "product_reference": "17409",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 moby-cli 24.0.9-1 as a component of CBL Mariner 2.0",
          "product_id": "17086-24"
        },
        "product_reference": "24",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 moby-cli 24.0.9-1 as a component of CBL Mariner 2.0",
          "product_id": "18526-17086"
        },
        "product_reference": "18526",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 gh 2.13.0-2 as a component of CBL Mariner 2.0",
          "product_id": "17086-23"
        },
        "product_reference": "23",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 gh 2.13.0-2 as a component of CBL Mariner 2.0",
          "product_id": "18527-17086"
        },
        "product_reference": "18527",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 containerized-data-importer 1.55.0-20 as a component of CBL Mariner 2.0",
          "product_id": "17086-35"
        },
        "product_reference": "35",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 containerized-data-importer 1.55.0-20 as a component of CBL Mariner 2.0",
          "product_id": "17401-17086"
        },
        "product_reference": "17401",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 azcopy 10.24.0-1 as a component of CBL Mariner 2.0",
          "product_id": "17086-33"
        },
        "product_reference": "33",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 azcopy 10.24.0-1 as a component of CBL Mariner 2.0",
          "product_id": "17426-17086"
        },
        "product_reference": "17426",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 sriov-network-device-plugin 3.7.0-1 as a component of Azure Linux 3.0",
          "product_id": "17084-22"
        },
        "product_reference": "22",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 sriov-network-device-plugin 3.7.0-1 as a component of Azure Linux 3.0",
          "product_id": "18528-17084"
        },
        "product_reference": "18528",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 prometheus 2.45.4-1 as a component of Azure Linux 3.0",
          "product_id": "17084-29"
        },
        "product_reference": "29",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 prometheus 2.45.4-1 as a component of Azure Linux 3.0",
          "product_id": "18125-17084"
        },
        "product_reference": "18125",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 moby-engine 25.0.3-1 as a component of Azure Linux 3.0",
          "product_id": "17084-31"
        },
        "product_reference": "31",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 moby-engine 25.0.3-1 as a component of Azure Linux 3.0",
          "product_id": "17814-17084"
        },
        "product_reference": "17814",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 golang 1.17.13-2,1.18.8-2,1.21.6-1 as a component of Azure Linux 3.0",
          "product_id": "17084-21"
        },
        "product_reference": "21",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 golang 1.17.13-2,1.18.8-2,1.21.6-1 as a component of Azure Linux 3.0",
          "product_id": "18529-17084"
        },
        "product_reference": "18529",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 azcopy 10.15.0-15 as a component of CBL Mariner 2.0",
          "product_id": "17086-6"
        },
        "product_reference": "6",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 azcopy 10.15.0-15 as a component of CBL Mariner 2.0",
          "product_id": "20110-17086"
        },
        "product_reference": "20110",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 containerized-data-importer 1.55.0-23 as a component of CBL Mariner 2.0",
          "product_id": "17086-12"
        },
        "product_reference": "12",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 containerized-data-importer 1.55.0-23 as a component of CBL Mariner 2.0",
          "product_id": "19821-17086"
        },
        "product_reference": "19821",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 influx-cli 2.6.1-17 as a component of CBL Mariner 2.0",
          "product_id": "17086-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 moby-cli 20.10.27-5 as a component of CBL Mariner 2.0",
          "product_id": "17086-13"
        },
        "product_reference": "13",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 moby-cli 20.10.27-5 as a component of CBL Mariner 2.0",
          "product_id": "19790-17086"
        },
        "product_reference": "19790",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 msft-golang 1.24.1-2 as a component of CBL Mariner 2.0",
          "product_id": "17086-16"
        },
        "product_reference": "16",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 python-tensorboard 2.16.2-6 as a component of Azure Linux 3.0",
          "product_id": "17084-19"
        },
        "product_reference": "19",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 golang 1.24.3-1 as a component of Azure Linux 3.0",
          "product_id": "17084-17"
        },
        "product_reference": "17",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-41717",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "flags": [
        {
          "label": "component_not_present",
          "product_ids": [
            "17086-4",
            "17086-18",
            "17086-9",
            "17086-10",
            "17084-28",
            "17086-20",
            "17084-32",
            "17086-11",
            "17086-1",
            "17086-16",
            "17084-19",
            "17084-17"
          ]
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Go",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "20327-17086",
          "20308-17086",
          "20023-17086",
          "17964-17084",
          "20094-17084",
          "20235-17084",
          "19778-17086",
          "19785-17086",
          "18523-16820",
          "17375-17086",
          "18524-17086",
          "18525-17086",
          "17409-17086",
          "18526-17086",
          "18527-17086",
          "17401-17086",
          "17426-17086",
          "18528-17084",
          "18125-17084",
          "17814-17084",
          "18529-17084",
          "20110-17086",
          "19821-17086",
          "19790-17086"
        ],
        "known_affected": [
          "17086-2",
          "17086-3",
          "17086-8",
          "17084-30",
          "17084-7",
          "17084-5",
          "17086-15",
          "17086-14",
          "16820-27",
          "17086-36",
          "17086-26",
          "17086-25",
          "17086-34",
          "17086-24",
          "17086-23",
          "17086-35",
          "17086-33",
          "17084-22",
          "17084-29",
          "17084-31",
          "17084-21",
          "17086-6",
          "17086-12",
          "17086-13"
        ],
        "known_not_affected": [
          "17086-4",
          "17086-18",
          "17086-9",
          "17086-10",
          "17084-28",
          "17086-20",
          "17084-32",
          "17086-11",
          "17086-1",
          "17086-16",
          "17084-19",
          "17084-17"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-41717 Excessive memory growth in net/http and golang.org/x/net/http2 - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-41717.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "2.37.9-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-2",
            "17086-34"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "3.6.2-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-3",
            "17086-25"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "1.8.17-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-8",
            "17086-26"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "25.0.3-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-30",
            "17084-31"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "2.45.4-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-7",
            "17084-29"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "3.7.0-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-5",
            "17084-22"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "1.17.13-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-15"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "1.18.8-3:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-14"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "1.18.8-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "16820-27"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "1.21.6-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-36"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "24.0.9-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-24",
            "17086-13"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "2.13.0-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-23"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "1.55.0-20:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-35",
            "17086-12"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "10.24.0-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-33",
            "17086-6"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-12-13T00:00:00.000Z",
          "details": "1.17.13-2,1.18.8-2,1.21.6-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-21"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalsScore": 0.0,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "17086-2",
            "17086-3",
            "17086-8",
            "17084-30",
            "17084-7",
            "17084-5",
            "17086-15",
            "17086-14",
            "16820-27",
            "17086-36",
            "17086-26",
            "17086-25",
            "17086-34",
            "17086-24",
            "17086-23",
            "17086-35",
            "17086-33",
            "17084-22",
            "17084-29",
            "17084-31",
            "17084-21",
            "17086-6",
            "17086-12",
            "17086-13"
          ]
        }
      ],
      "title": "Excessive memory growth in net/http and golang.org/x/net/http2"
    }
  ]
}
CVE-2022-41717 (GCVE-0-2022-41717)

Vulnerability from cvelistv5 – Published: 2022-12-08 19:03 – Updated: 2025-02-13 16:33
Title
Excessive memory growth in net/http and golang.org/x/net/http2
Summary
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Severity ?
No CVSS data available.
CWE
CWE 400: Uncontrolled Resource Consumption
Assigner
References
URL
Sightings

Author	Source	Type	Date
Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Detection rules are retrieved from Rulezet.
Action not permitted

MSRC_CVE-2022-41717

CVE-2022-41717 (GCVE-0-2022-41717)

Tags

Sightings

Nomenclature
