CVE-2022-1705

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
References
Link Resource
https://go.dev/cl/409874 Patch Vendor Advisory
https://go.dev/cl/410714 Patch Vendor Advisory
https://go.dev/issue/53188 Exploit Issue Tracking Patch Vendor Advisory
https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f Patch Vendor Advisory
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE Release Notes Vendor Advisory
https://pkg.go.dev/vuln/GO-2022-0525 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

History

03 Mar 2023, 15:36

Type Values Removed Values Added
CPE cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/', 'name': 'FEDORA-2022-30c5ed5625', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}

26 Oct 2022, 17:14

Type Values Removed Values Added
CPE cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/ - Mailing List, Third Party Advisory

17 Aug 2022, 04:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/ -

16 Aug 2022, 00:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
CWE CWE-444
CPE cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
References (MISC) https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f - (MISC) https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f - Patch, Vendor Advisory
References (MISC) https://go.dev/cl/410714 - (MISC) https://go.dev/cl/410714 - Patch, Vendor Advisory
References (MISC) https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE - (MISC) https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE - Release Notes, Vendor Advisory
References (MISC) https://pkg.go.dev/vuln/GO-2022-0525 - (MISC) https://pkg.go.dev/vuln/GO-2022-0525 - Vendor Advisory
References (MISC) https://go.dev/cl/409874 - (MISC) https://go.dev/cl/409874 - Patch, Vendor Advisory
References (MISC) https://go.dev/issue/53188 - (MISC) https://go.dev/issue/53188 - Exploit, Issue Tracking, Patch, Vendor Advisory

10 Aug 2022, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-08-10 20:15

Updated : 2024-02-04 22:51


NVD link : CVE-2022-1705

Mitre link : CVE-2022-1705

CVE.ORG link : CVE-2022-1705


JSON object : View

Products Affected

golang

  • go
CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')