CVE-2022-1705

Name
CVE-2022-1705
Description
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://go.dev/cl/409874
MISC https://pkg.go.dev/vuln/GO-2022-0525
MISC https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f
MISC https://go.dev/cl/410714
MISC https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
MISC https://go.dev/issue/53188
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= None < 1.17.12
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= 1.18.0 < 1.18.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status