Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From VID-3D73E384-AD1F-11ED-983C-83FE35862E3A:
The Go project reports:
path/filepath: path traversal in filepath.Clean on Windows
On Windows, the filepath.Clean function could transform
an invalid path such as a/../c:/b into the valid path
c:\b. This transformation of a relative (if invalid)
path into an absolute path could enable a directory
traversal attack. The filepath.Clean function will now
transform this path into the relative (but still
invalid) path .\c:\b.
net/http, mime/multipart: denial of service from excessive
resource consumption
Multipart form parsing with
mime/multipart.Reader.ReadForm can consume largely
unlimited amounts of memory and disk files. This also
affects form parsing in the net/http package with the
Request methods FormFile, FormValue, ParseMultipartForm,
and PostFormValue.
crypto/tls: large handshake records may cause panics
Both clients and servers may send large TLS handshake
records which cause servers and clients,
respectively, to panic when attempting to construct responses.
net/http: avoid quadratic complexity in HPACK decoding
A maliciously crafted HTTP/2 stream could cause
excessive CPU consumption in the HPACK decoder,
sufficient to cause a denial of service from a small
number of small requests.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center