CVE-2022-1705

2022-08-1000:00:00

ubuntu.com

http request smuggling

http/1 client

net/http

go 1.17.12

go 1.18.4

intermediate server

http security

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.002

Percentile

54.5%

JSON

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client
in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling
if combined with an intermediate server that also improperly fails to
reject the header as invalid.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchgolang-1.13< 1.13.8-1ubuntu1~18.04.4+esm1UNKNOWN
ubuntu20.04noarchgolang-1.13< 1.13.8-1ubuntu1.2UNKNOWN
ubuntu22.04noarchgolang-1.13< 1.13.8-1ubuntu2.22.04.2UNKNOWN
ubuntu16.04noarchgolang-1.13< 1.13.8-1ubuntu1~16.04.3+esm3UNKNOWN
ubuntu18.04noarchgolang-1.16< 1.16.2-0ubuntu1~18.04.2+esm1UNKNOWN
ubuntu20.04noarchgolang-1.16< 1.16.2-0ubuntu1~20.04.1UNKNOWN
ubuntu18.04noarchgolang-1.18< 1.18.1-1ubuntu1~18.04.4UNKNOWN
ubuntu20.04noarchgolang-1.18< 1.18.1-1ubuntu1~20.04.2UNKNOWN
ubuntu22.04noarchgolang-1.18< 1.18.1-1ubuntu1.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	golang-1.13	< 1.13.8-1ubuntu1~18.04.4+esm1	UNKNOWN
ubuntu	20.04	noarch	golang-1.13	< 1.13.8-1ubuntu1.2	UNKNOWN
ubuntu	22.04	noarch	golang-1.13	< 1.13.8-1ubuntu2.22.04.2	UNKNOWN
ubuntu	16.04	noarch	golang-1.13	< 1.13.8-1ubuntu1~16.04.3+esm3	UNKNOWN
ubuntu	18.04	noarch	golang-1.16	< 1.16.2-0ubuntu1~18.04.2+esm1	UNKNOWN
ubuntu	20.04	noarch	golang-1.16	< 1.16.2-0ubuntu1~20.04.1	UNKNOWN
ubuntu	18.04	noarch	golang-1.18	< 1.18.1-1ubuntu1~18.04.4	UNKNOWN
ubuntu	20.04	noarch	golang-1.18	< 1.18.1-1ubuntu1~20.04.2	UNKNOWN
ubuntu	22.04	noarch	golang-1.18	< 1.18.1-1ubuntu1.1	UNKNOWN