CVE-2022-2880
Incorrect sanitization of forwarded query parameters in net/http/httputil
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
Las peticiones reenviadas por ReverseProxy incluyen los parámetros de consulta sin procesar de la petición entrante, incluyendo parámetros no analizables rechazados por net/http. Esto podría permitir el contrabando de parámetros de consulta cuando un proxy Go reenvía un parámetro con un valor no analizable. Después de la corrección, ReverseProxy sanea los parámetros de consulta en la consulta reenviada cuando el campo Form de la petición saliente es establecido después de que la función ReverseProxy. La función Director regresa, indicando que el proxy ha analizado los parámetros de la consulta. Los proxies que no analizan los parámetros de consulta continúan reenviando los parámetros de consulta originales sin cambios
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-08-17 CVE Reserved
- 2022-10-14 CVE Published
- 2024-05-06 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU | Mailing List | |
https://security.gentoo.org/glsa/202311-09 |
URL | Date | SRC |
---|---|---|
https://go.dev/issue/54663 | 2024-08-03 |
URL | Date | SRC |
---|---|---|
https://go.dev/cl/432976 | 2023-11-25 |
URL | Date | SRC |
---|---|---|
https://pkg.go.dev/vuln/GO-2022-1038 | 2023-11-25 | |
https://access.redhat.com/security/cve/CVE-2022-2880 | 2024-05-22 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2132868 | 2024-05-22 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.18.7 Search vendor "Golang" for product "Go" and version " < 1.18.7" | - |
Affected
| ||||||
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.19.0 < 1.19.2 Search vendor "Golang" for product "Go" and version " >= 1.19.0 < 1.19.2" | - |
Affected
|