QID 357008

the http/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in august through october 2023. (
( CVE-2023-39325) a malicious http sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body.
A malicious http client can further exploit this to cause a server to automatically read a large amount of data (up to about 1gib) when a handler fails to read the entire body of a request.
Chunk extensions are a little-used http feature which permit including additional metadata in a request or response body sent using the chunked encoding.
The net/http chunked encoding reader discards this metadata.
A sender can exploit this by inserting a large metadata segment with each byte transferred.
The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. (
( CVE-2023-39326) opentelemetry-go contrib is a collection of third-party packages for opentelemetry-go.
A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality.
It leads to the servers potential memory exhaustion when many malicious requests are sent to it.
Http header user-agent or http method for requests can be easily set by an attacker to be random and long.
The library internally uses `httpconv.
Serverrequest` that records every value for http `method` and `user-agent`.
In order to be affected, a program has to use the `otelhttp.
As a workaround to stop being affected, `otelhttp.
( CVE-2023-45142)

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.