Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-FXG5-WQ6X-VR4W
HistoryJan 14, 2023 - 12:30 a.m.

golang.org/x/net/http2/h2c vulnerable to request smuggling attack

2023-01-1400:30:23
CWE-444
GitHub Advisory Database
github.com
52
request smuggling
maxbyteshandler
http request
http2 requests
go packages
server vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

55.1%

JSON

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Specific Go Packages Affected

golang.org/x/net/http2/h2c

Affected configurations

Vulners
Node
xnetRange0.0.0-20220524220425-1d687d428acaโ€“0.1.1-0.20221104162952-702349b0e862
VendorProductVersionCPE
xnet*cpe:2.3:a:x:net:*:*:*:*:*:*:*:*

Related

nessus 9
osv 6
ibm 32
gitlab 2
freebsd 1
ubuntucve 1
openvas 2
fedora 2
cvelist 1
nvd 1
redhatcve 1
cve 1
prion 1
cbl_mariner 1
veracode 1
cgr 1
debiancve 1
redhat 4
nessus
nessus
Fedora 38 : caddy (2023-74e5545901)
2023-08-27 00:00:00
FreeBSD : traefik -- Use of vulnerable Go module x/net/http2 (428922c9-b07e-11ed-8700-5404a68ad561)
2023-02-19 00:00:00
RHEL 9 : x_net_http2_h2c (Unpatched Vulnerability)
2024-05-11 00:00:00
osv
osv
Request smuggling due to improper request handling in golang.org/x/net/http2/h2c
2023-01-13 22:39:40
caddy-2.6.3-1.1 on GA media
2024-06-15 00:00:00
CGA-3h86-jxj7-mj2c
2024-06-06 12:21:56
ibm
ibm
Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to HTTP request smuggling in Golang Go ( CVE-2022-41721)
2023-06-28 20:36:45
Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to request smuggling in Go (CVE-2022-41721)
2023-03-03 15:22:00
Security Bulletin: Vulnerability in Go affects watsonx.data
2024-09-05 18:50:17
gitlab
gitlab
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
2023-01-14 00:00:00
golang.org/x/net/http2/h2c vulnerable to request smuggling attack
2023-01-14 00:00:00
freebsd
freebsd
traefik -- Use of vulnerable Go module x/net/http2
2022-10-22 00:00:00
ubuntucve
ubuntucve
CVE-2022-41721
2023-01-13 00:00:00
openvas
openvas
Fedora: Security Advisory for caddy (FEDORA-2023-4926525509)
2023-08-27 00:00:00
Fedora: Security Advisory for caddy (FEDORA-2023-74e5545901)
2023-08-27 00:00:00
fedora
fedora
[SECURITY] Fedora 37 Update: caddy-2.6.4-1.fc37
2023-08-27 00:51:01
[SECURITY] Fedora 38 Update: caddy-2.6.4-1.fc38
2023-08-27 00:44:06
cvelist
cvelist
CVE-2022-41721 Request smuggling due to improper request handling in golang.org/x/net/http2/h2c
2023-01-13 22:46:22
nvd
nvd
CVE-2022-41721
2023-01-13 23:15:09
redhatcve
redhatcve
CVE-2022-41721
2023-01-19 04:04:56
cve
cve
CVE-2022-41721
2023-01-13 23:15:09
prion
prion
Design/Logic Flaw
2023-01-13 23:15:00
cbl_mariner
cbl_mariner
CVE-2022-41721 affecting package opa for versions less than 0.50.2-5
2023-08-30 15:15:49
veracode
veracode
HTTP Request Smuggling
2023-01-22 08:35:58
cgr
cgr
CVE-2022-41721 vulnerabilities
2024-05-19 03:07:16
debiancve
debiancve
CVE-2022-41721
2023-01-13 23:15:09
redhat
redhat
(RHSA-2023:5442) Moderate: Red Hat Advanced Cluster Management 2.8.2 security and bug fix updates
2023-10-04 12:07:14
(RHSA-2023:5421) Moderate: Multicluster Engine for Kubernetes 2.3.2 security updates and bug fixes
2023-10-03 17:54:00
(RHSA-2023:4627) Important: Migration Toolkit for Applications security and bug fix update
2023-08-14 01:00:22

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

55.1%

JSON
Related for GHSA-FXG5-WQ6X-VR4W
nessus9osv6ibm32gitlab2freebsd1ubuntucve1openvas2fedora2cvelist1nvd1redhatcve1cve1prion1cbl_mariner1veracode1cgr1debiancve1redhat4