CVE-2022-2880

Name
CVE-2022-2880
Description
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://go.dev/issue/54663
MISC https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
MISC https://go.dev/cl/432976
MISC https://pkg.go.dev/vuln/GO-2022-1038
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/THKJHFMX4DAZXJ5MFPN3BNHZDN7BW5RI/
Exploit https://www.oxeye.io/blog/golang-parameter-smuggling-attack

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= 1.19.0 < 1.19.2
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= None < 1.18.7

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
go 3.16-community 1.18.7-r0 Natanael Copa <ncopa@alpinelinux.org> fixed