CVE-2023-39326: 
Docker vulnerability analysis and mitigation

CVE-2023-39326 is a vulnerability in the Go programming language's net/http package discovered in 2023. The vulnerability affects Go versions before 1.20.12 and from 1.21.0-0 before 1.21.5. This security flaw allows a malicious HTTP sender to exploit chunk extensions, a little-used HTTP feature that permits including additional metadata in request or response bodies using chunked encoding (Go Advisory, NVD).

The vulnerability exists in the net/http chunked encoding reader which discards chunk extension metadata. An attacker can exploit this by inserting large metadata segments with each byte transferred, causing the receiver to read many more bytes from the network than are actually present in the body. The CVSS v3.1 base score is 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, and no required privileges or user interaction (NVD).

When exploited, this vulnerability can cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. This can lead to excessive resource consumption and potential denial of service conditions (Go Advisory).

The vulnerability has been fixed in Go versions 1.20.12 and 1.21.5. The fix implements an error response if the ratio of real body to encoded bytes grows too small. Users are advised to upgrade to these patched versions or later releases (Go Advisory).