[GO-2022-1038] Incorrect sanitization of forwarded query parameters in net/http/httputil
Severity
High
Affected Packages
2
Fixed Packages
2
CVEs
1
Requests forwarded by ReverseProxy include the raw query parameters from the
inbound request, including unparsable parameters rejected by net/http. This
could permit query parameter smuggling when a Go proxy forwards a parameter with
an unparsable value.
After fix, ReverseProxy sanitizes the query parameters in the forwarded query
when the outbound request's Form field is set after the ReverseProxy. Director
function returns, indicating that the proxy has parsed the query parameters.
Proxies which do not parse query parameters continue to forward the original
query parameters unchanged.
Package | Affected Version |
---|---|
pkg:golang/net/http/httputil | >= 1.19.1, < 1.18.7 |
pkg:golang/net/http/httputil | >= 1.19.1, < 1.19.2 |
Package | Fixed Version |
---|---|
pkg:golang/net/http/httputil | = 1.18.7 |
pkg:golang/net/http/httputil | = 1.19.2 |
- ID
- GO-2022-1038
- Severity
- high
- Severity from
- CVE-2022-2880
- URL
- https://pkg.go.dev/vuln/GO-2022-1038
- Published
-
2022-10-05T21:55:44
(23 months ago) - Modified
-
2024-07-17T19:54:18
(2 months ago) - Other Advisories
-
- ALAS2-2023-2015
- ALPINE:CVE-2022-2880
- ALSA-2023:0328
- ALSA-2023:0446
- ALSA-2023:2167
- ALSA-2023:2204
- ALSA-2023:2357
- ALSA-2023:2780
- ALSA-2023:2784
- ALSA-2023:2866
- ALSA-2024:0121
- ALSA-2024:3254
- ELSA-2022-24267
- ELSA-2023-0328
- ELSA-2023-0446
- ELSA-2023-18908
- ELSA-2023-2167
- ELSA-2023-2204
- ELSA-2023-2357
- ELSA-2023-2780
- ELSA-2023-2784
- ELSA-2023-2866
- ELSA-2024-0121
- ELSA-2024-2988
- ELSA-2024-3254
- FEDORA-2022-59a20edab2
- FREEBSD:854C2AFB-4424-11ED-AF97-ADCABF310F9B
- GLSA-202311-09
- RHSA-2023:0328
- RHSA-2023:0446
- RHSA-2023:2167
- RHSA-2023:2204
- RHSA-2023:2357
- RHSA-2023:2780
- RHSA-2023:2784
- RHSA-2023:2866
- RHSA-2024:0121
- RHSA-2024:2988
- RHSA-2024:3254
- RLSA-2023:0328
- RLSA-2023:0446
- SUSE-SU-2022:3668-1
- SUSE-SU-2022:3669-1
- SUSE-SU-2023:2312-1
- USN-6038-1
- USN-6038-2
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Fixed | pkg:golang/net/http/httputil | net/http | httputil | = 1.18.7 | |||
Affected | pkg:golang/net/http/httputil | net/http | httputil | >= 1.19.1 < 1.18.7 | |||
Fixed | pkg:golang/net/http/httputil | net/http | httputil | = 1.19.2 | |||
Affected | pkg:golang/net/http/httputil | net/http | httputil | >= 1.19.1 < 1.19.2 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |