CVE-2022-41721 — HTTP Request Smuggling in X NET Golang.org X NET Http2 H2C

CWE-444 — HTTP Request Smuggling9 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 79.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang.org X NET Golang.org X NET Http2 H2C Golang.org X NET Golang H2C

Timeline

PublishedJan 13

Latest updateJan 14

Description

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5golang.org/x_net_golang.org_x_net_http2_h2c0.0.0-20220524220425-1d687d428aca — 0.1.1-0.20221104162952-702349b0e862

▶NVDgolang/h2c< 2022-11-04

▶Gogolang.org/x_net0.0.0-20220524220425-1d687d428aca — 0.1.1-0.20221104162952-702349b0e862

Patches

Patch: go.dev ↗Patch: go.dev ↗Patch: go.dev ↗

🔴Vulnerability Details

OSV

golang.org/x/net/http2/h2c vulnerable to request smuggling attack↗2023-01-14

▶

GHSA

golang.org/x/net/http2/h2c vulnerable to request smuggling attack↗2023-01-14

▶

CVEList

Request smuggling due to improper request handling in golang.org/x/net/http2/h2c↗2023-01-13

▶

OSV

CVE-2022-41721: A request smuggling attack is possible when using MaxBytesHandler↗2023-01-13

▶

OSV

Request smuggling due to improper request handling in golang.org/x/net/http2/h2c↗2023-01-13

▶

📋Vendor Advisories

Red Hat

x/net/http2/h2c: request smuggling↗2023-01-13

▶

Microsoft

Request smuggling due to improper request handling in golang.org/x/net/http2/h2c↗2023-01-10

▶

Debian

CVE-2022-41721: golang-golang-x-net - A request smuggling attack is possible when using MaxBytesHandler. When using Ma...↗2022

▶