CVE-2022-2880

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
HTTP Request/Response Smuggling
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Affected Products (NVD)
VendorProductVersion
golanggo
𝑥
< 1.18.7
golanggo
1.19.0 ≤
𝑥
< 1.19.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
vulnerable
buster
postponed
golang-1.19
bookworm
1.19.8-2
fixed
bullseye
no-dsa
buster
postponed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-1.10
bionic
needed
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
needed
xenial
needed
golang-1.13
bionic
Fixed 1.13.8-1ubuntu1~18.04.4+esm1
released
focal
Fixed 1.13.8-1ubuntu1.2
released
jammy
Fixed 1.13.8-1ubuntu2.22.04.2
released
lunar
dne
mantic
dne
noble
dne
trusty
ignored
xenial
Fixed 1.13.8-1ubuntu1~16.04.3+esm3
released
golang-1.14
bionic
dne
focal
needed
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.16
bionic
Fixed 1.16.2-0ubuntu1~18.04.2+esm1
released
focal
Fixed 1.16.2-0ubuntu1~20.04.1
released
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
ignored
xenial
ignored
golang-1.17
bionic
dne
focal
dne
jammy
needed
trusty
ignored
xenial
ignored
golang-1.18
bionic
Fixed 1.18.1-1ubuntu1~18.04.4
released
focal
Fixed 1.18.1-1ubuntu1~20.04.2
released
jammy
Fixed 1.18.1-1ubuntu1.1
released
lunar
dne
mantic
dne
noble
dne
trusty
ignored
xenial
Fixed 1.18.1-1ubuntu1~16.04.4
released
golang-1.19
bionic
dne
focal
dne
jammy
dne
kinetic
not-affected
lunar
not-affected
mantic
dne
noble
dne
trusty
ignored
xenial
ignored
golang-1.6
bionic
dne
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
ignored
xenial
needed
golang-1.8
bionic
needed
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.9
bionic
needed
focal
dne
jammy
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
git-lfs
RHEL 9
0:3.2.0-1.el9
fixed
golang
RHEL 9
0:1.18.9-1.el9_1
fixed
golang-bin
RHEL 9
0:1.18.9-1.el9_1
fixed
golang-docs
RHEL 9
0:1.18.9-1.el9_1
fixed
golang-misc
RHEL 9
0:1.18.9-1.el9_1
fixed
golang-race
RHEL 9
0:1.18.9-1.el9_1
fixed
golang-src
RHEL 9
0:1.18.9-1.el9_1
fixed
golang-tests
RHEL 9
0:1.18.9-1.el9_1
fixed
grafana
RHEL 9
0:9.0.9-2.el9
fixed
osbuild-composer
RHEL 8
0:75-1.el8
fixed
RHEL 9
0:76-2.el9_2
fixed
osbuild-composer-core
RHEL 8
0:75-1.el8
fixed
RHEL 9
0:76-2.el9_2
fixed
osbuild-composer-dnf-json
RHEL 8
0:75-1.el8
fixed
RHEL 9
0:76-2.el9_2
fixed
osbuild-composer-worker
RHEL 8
0:75-1.el8
fixed
RHEL 9
0:76-2.el9_2
fixed
weldr-client
RHEL 8
0:35.9-2.el8
fixed
RHEL 9
0:35.9-1.el9
fixed
Common Weakness Enumeration
References
https://go.dev/cl/432976
https://go.dev/issue/54663
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
https://pkg.go.dev/vuln/GO-2022-1038
https://security.gentoo.org/glsa/202311-09
https://go.dev/cl/432976
https://go.dev/issue/54663
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
https://pkg.go.dev/vuln/GO-2022-1038
https://security.gentoo.org/glsa/202311-09