A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
References
| Link | Resource |
|---|---|
| https://go.dev/cl/447396 | Patch Vendor Advisory |
| https://go.dev/issue/56352 | Exploit Issue Tracking Patch Vendor Advisory |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/ | |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/ | |
| https://pkg.go.dev/vuln/GO-2023-1495 | Vendor Advisory |
Configurations
History
07 Nov 2023, 03:52
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
27 Aug 2023, 03:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
24 Jan 2023, 17:25
| Type | Values Removed | Values Added |
|---|---|---|
| References | (MISC) https://pkg.go.dev/vuln/GO-2023-1495 - Vendor Advisory | |
| References | (MISC) https://go.dev/cl/447396 - Patch, Vendor Advisory | |
| References | (MISC) https://go.dev/issue/56352 - Exploit, Issue Tracking, Patch, Vendor Advisory | |
| CWE | CWE-444 | |
| First Time |
Golang
Golang h2c |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| CPE | cpe:2.3:a:golang:h2c:*:*:*:*:*:go:*:* |
13 Jan 2023, 23:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-01-13 23:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-41721
Mitre link : CVE-2022-41721
CVE.ORG link : CVE-2022-41721
JSON object : View
Products Affected
golang
- h2c
CWE
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')