Miggo Logo

CVE-2022-27664: golang.org/x/net/http2 Denial of Service vulnerability

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.30603%
CWE
-
Published
9/7/2022
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
golang.org/x/netgo< 0.0.0-20220906165146-f3363e06e74c0.0.0-20220906165146-f3363e06e74c
golang.org/x/net/http2go< 0.0.0-20220906165146-f3363e06e74c0.0.0-20220906165146-f3363e06e74c

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in HTTP/2 connection shutdown handling. ServeConn is the primary HTTP/2 connection handler that manages the state machine and shutdown process(). The Go vulnerability database (GO-2022-0969) explicitly lists Server.ServeConn as an affected symbol, and the CVE description specifically references HTTP/2 connection hangs during shutdown sequences. This function would appear in stack traces when the server is stuck handling a hung connection during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In n*t/*ttp in *o ***or* *.**.* *n* *.**.x ***or* *.**.*, *tt**k*rs **n **us* * **ni*l o* s*rvi** ****us* *n *TTP/* *onn**tion **n **n* *urin* *losin* i* s*ut*own w*r* pr**mpt** *y * **t*l *rror.

Reasoning

T** vuln*r**ility m*ni**sts in *TTP/* *onn**tion s*ut*own **n*lin*. `S*rv**onn` is t** prim*ry *TTP/* *onn**tion **n*l*r t**t m*n***s t** st*t* m***in* *n* s*ut*own `pro**ss()`. T** *o vuln*r**ility **t***s* (*O-****-****) *xpli*itly lists `S*rv*r.S*