CVE-2022-2880

Incorrect sanitization of forwarded query parameters in net/http/httputil

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

Las peticiones reenviadas por ReverseProxy incluyen los parámetros de consulta sin procesar de la petición entrante, incluyendo parámetros no analizables rechazados por net/http. Esto podría permitir el contrabando de parámetros de consulta cuando un proxy Go reenvía un parámetro con un valor no analizable. Después de la corrección, ReverseProxy sanea los parámetros de consulta en la consulta reenviada cuando el campo Form de la petición saliente es establecido después de que la función ReverseProxy. La función Director regresa, indicando que el proxy ha analizado los parámetros de la consulta. Los proxies que no analizan los parámetros de consulta continúan reenviando los parámetros de consulta originales sin cambios

A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.

*Credits: Gal Goldstein (Security Researcher, Oxeye), Daniel Abeles (Head of Research, Oxeye)

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-08-17 CVE Reserved
2022-10-14 CVE Published
2024-05-06 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (7)

URL	Tag	Source
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU	Mailing List
https://security.gentoo.org/glsa/202311-09

URL	Date	SRC
https://go.dev/issue/54663	2024-08-03

URL	Date	SRC
https://go.dev/cl/432976	2023-11-25

URL	Date	SRC
https://pkg.go.dev/vuln/GO-2022-1038	2023-11-25
https://access.redhat.com/security/cve/CVE-2022-2880	2024-05-22
https://bugzilla.redhat.com/show_bug.cgi?id=2132868	2024-05-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				< 1.18.7 Search vendor "Golang" for product "Go" and version " < 1.18.7"		-		Affected
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				>= 1.19.0 < 1.19.2 Search vendor "Golang" for product "Go" and version " >= 1.19.0 < 1.19.2"		-		Affected