QID 355697

reserved note: https://groups.google.com/g/golang-announce/c/v0abfqafs_e (cve-2022-41724) golang: net/http, mime/multipart: denial of service from excessive resource consumption (https://groups.google.com/g/golang-announce/c/v0abfqafs_e) (cve-2022-41725) the scalarmult and scalarbasemult methods of the p256 curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve).
This does not impact usages of crypto/ecdsa or crypto/ecdh. (
( CVE-2023-24532) multipart form parsing can consume large amounts of cpu and memory when processing form inputs containing very large numbers of parts.
This stems from several causes: 1.
Mime/multipart.
Reader.
Readform limits the total memory a parsed multipart form can consume.
Readform can undercount the amount of memory consumed, leading it to accept larger inputs than intended.
2.
Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts.
3.
Readform can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector.
The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of cpu and memory, potentially resulting in a denial of service.
This affects programs that use mime/multipart.
Readform, as well as form parsing in the net/http package with the request methods formfile, formvalue, parsemultipartform, and postformvalue.
With fix, readform now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.