CVE-2021-31525 : go - 1.14.15
Created by: armorcodegithubapp[bot]
DOCUMENTATION: A vulnerability detects in net/http of the Go standard library when parsing very large HTTP header values, causing a crash and subsequent denial of service. This vulnerability affects both clients and servers written in Go, however, servers are only vulnerable if the default 1 MB value for MaxHeaderBytes is increased. STATEMENT: This vulnerability potentially affects any component written in Go that uses net/http from the standard library. In OpenShift Container Platform (OCP), OpenShift Virtualization, OpenShift ServiceMesh (OSSM) and OpenShift distributed tracing (formerly OpenShift Jaeger), no server side component allows HTTP header values larger than 1 MB (the default), preventing this vulnerability from being exploited by malicious clients. It is possible for components that make client connections to malicious servers to be exploited, however the maximum impact is a crash. This vulnerability is rated Low for the following components: * OpenShift Container Platform * OpenShift Virtualization * OpenShift ServiceMesh * OpenShift distributed tracing components.
Vulnerable Package: go
Current Version: 1.14.15
Image: apache/apisix-dashboard:latest
Path: /usr/local/apisix-dashboard/manager-api
Clusters: minikube
Host: minikube
Host Distro: CentOS Linux release 8.4.2105
CVSS: 5.9
CVS Vector:
Vulnerability Type: image
File Path: /usr/local/apisix-dashboard/manager-api
Mitigation: fixed in 1.16.4, 1.15.12