cbcvebase.
CVE-2022-41721
published 2023-01-13

CVE-2022-41721: A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the…

PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.81%
76.0th percentile
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Affected

5 ranges
VendorProductVersion rangeFixed in
debiangolang-golang-x-net< golang-golang-x-net 1:0.4.0+dfsg-1 (bookworm)golang-golang-x-net 1:0.4.0+dfsg-1 (bookworm)
golang.orgx_net>= 0.0.0-20220524220425-1d687d428aca < 0.1.1-0.20221104162952-702349b0e8620.1.1-0.20221104162952-702349b0e862
golang.orgx_net_golang.org_x_net_http2_h2c>= 0.0.0-20220524220425-1d687d428aca < 0.1.1-0.20221104162952-702349b0e8620.1.1-0.20221104162952-702349b0e862
golangh2c< 2022-11-042022-11-04
msrccbl2_opa_0.50.2-5_on_cbl_mariner_2.0

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.