CVE-2022-1705 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Affected Products (NVD)

Vendor	Product	Version
golang	go	𝑥 < 1.17.12
golang	go	1.18.0 ≤ 𝑥 < 1.18.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

golang-1.15

bullseye

vulnerable

golang-1.19

bookworm	1.19.8-2 fixed
bullseye	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

golang-1.13

bionic	Fixed 1.13.8-1ubuntu1~18.04.4+esm1 released
focal	Fixed 1.13.8-1ubuntu1.2 released
jammy	Fixed 1.13.8-1ubuntu2.22.04.2 released
lunar	dne
mantic	dne
trusty	ignored
xenial	Fixed 1.13.8-1ubuntu1~16.04.3+esm3 released

golang-1.16

bionic	Fixed 1.16.2-0ubuntu1~18.04.2+esm1 released
focal	Fixed 1.16.2-0ubuntu1~20.04.1 released
jammy	dne
lunar	dne
mantic	dne
trusty	ignored
xenial	ignored

golang-1.18

bionic	Fixed 1.18.1-1ubuntu1~18.04.4 released
focal	Fixed 1.18.1-1ubuntu1~20.04.2 released
impish	dne
jammy	Fixed 1.18.1-1ubuntu1.1 released
kinetic	dne
lunar	dne
trusty	dne
xenial	dne

Red Hat Enterprise Linux Releases

Red Hat Product

Release

git-lfs

RHEL 9

0:3.2.0-1.el9

fixed

go-toolset

RHEL 9

0:1.17.12-1.el9_0

fixed

golang

RHEL 9

0:1.17.12-1.el9_0

fixed

golang-bin

RHEL 9

0:1.17.12-1.el9_0

fixed

golang-docs

RHEL 9

0:1.17.12-1.el9_0

fixed

golang-misc

RHEL 9

0:1.17.12-1.el9_0

fixed

golang-race

RHEL 9

0:1.17.12-1.el9_0

fixed

golang-src

RHEL 9

0:1.17.12-1.el9_0

fixed

golang-tests

RHEL 9

0:1.17.12-1.el9_0

fixed

grafana

RHEL 9

0:7.5.15-3.el9

fixed

grafana-pcp

RHEL 9

0:3.2.0-3.el9

fixed

toolbox

RHEL 9

0:0.0.99.3-5.el9

fixed

toolbox-tests

RHEL 9

0:0.0.99.3-5.el9

fixed

Known Exploits!

Common Weakness Enumeration

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

References

https://go.dev/cl/409874

https://go.dev/cl/410714

https://go.dev/issue/53188

https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f

https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

https://pkg.go.dev/vuln/GO-2022-0525

https://go.dev/cl/409874

https://go.dev/cl/410714

https://go.dev/issue/53188

https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f

https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

https://pkg.go.dev/vuln/GO-2022-0525