Security Tracking Issue

Do not make this issue public.

Impact: Moderate
Reported Date: 05-Mar-2024
Resolve Bug By: 03-Jun-2024

In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then. Remember to explicitly set CLOSED:WONTFIX (in Bugzilla) or Closed:Won't Do (in Jira) if you decide not to fix this bug.

Please review this tracker and its impact on your product or service, as soon as possible. The trackers are filed WITHOUT in-depth analysis as the vulnerability has a Low or Moderate severity impact on this product or service. For more details, please refer to following confluence page - https://docs.engineering.redhat.com/x/3e_3EQ

Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9kKpDw

Flaw:

CVE-2023-45290 golang: net/http: memory exhaustion in Request.ParseMultipartForm
https://bugzilla.redhat.com/show_bug.cgi?id=2268017

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.

ParseMultipartForm now correctly limits the maximum size of form lines.

https://github.com/golang/go/issues/65383