Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2022-41721

Опубликовано: 13 янв. 2023
Источник: debian
EPSS Низкий

Описание

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
golang-golang-x-netfixed1:0.4.0+dfsg-1package
golang-golang-x-netnot-affectedbullseyepackage
golang-golang-x-netnot-affectedbusterpackage

Примечания

  • https://go-review.googlesource.com/c/net/+/447396

  • https://github.com/golang/go/issues/56352

  • https://pkg.go.dev/vuln/GO-2023-1495

  • Fixed in https://go.googlesource.com/net/+/702349b0e8628371f0e5ba0c10407448d60a67b1 (v0.2.0)

  • Introduced in https://go.googlesource.com/net/+/1d687d428aca0546c0ca84160c8700ee521e9fb9 (v0.1.0)

EPSS

Процентиль: 25%
0.00087
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2022-41721

CVSS3: 7.5
ubuntu
около 3 лет назад

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

redhat логотип

CVE-2022-41721

CVSS3: 7.5
redhat
около 3 лет назад

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

nvd логотип

CVE-2022-41721

CVSS3: 7.5
nvd
около 3 лет назад

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

msrc логотип

CVE-2022-41721

CVSS3: 7.5
msrc
около 3 лет назад

Request smuggling due to improper request handling in golang.org/x/net/http2/h2c

github логотип

GHSA-fxg5-wq6x-vr4w

CVSS3: 7.5
github
около 3 лет назад

golang.org/x/net/http2/h2c vulnerable to request smuggling attack

EPSS

Процентиль: 25%
0.00087
Низкий
Уязвимость CVE-2022-41721