CVE-2022-2880: Incorrect sanitization of forwarded query parameters in net/http/httputil
First published: Tue Oct 04 2022(Updated: )
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
Credit: security@golang.org security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openshift-serverless-clients | <0:1.6.1-1.el8 | 0:1.6.1-1.el8 |
| redhat/go-toolset | <1.18-0:1.18.9-1.el7_9 | 1.18-0:1.18.9-1.el7_9 |
| redhat/go-toolset | <1.18-golang-0:1.18.9-1.el7_9 | 1.18-golang-0:1.18.9-1.el7_9 |
| redhat/osbuild-composer | <0:75-1.el8 | 0:75-1.el8 |
| redhat/weldr-client | <0:35.9-2.el8 | 0:35.9-2.el8 |
| redhat/grafana | <0:7.5.15-4.el8 | 0:7.5.15-4.el8 |
| redhat/git-lfs | <0:3.2.0-2.el8 | 0:3.2.0-2.el8 |
| redhat/golang | <0:1.18.9-1.el9_1 | 0:1.18.9-1.el9_1 |
| redhat/grafana | <0:9.0.9-2.el9 | 0:9.0.9-2.el9 |
| redhat/osbuild-composer | <0:76-2.el9_2 | 0:76-2.el9_2 |
| redhat/weldr-client | <0:35.9-1.el9 | 0:35.9-1.el9 |
| redhat/git-lfs | <0:3.2.0-1.el9 | 0:3.2.0-1.el9 |
| redhat/ignition | <0:2.14.0-5.rhaos4.12.el8 | 0:2.14.0-5.rhaos4.12.el8 |
| redhat/openshift-clients | <0:4.12.0-202301042257.p0.g854f807.assembly.stream.el8 | 0:4.12.0-202301042257.p0.g854f807.assembly.stream.el8 |
| redhat/buildah | <1:1.23.4-4.rhaos4.12.el8 | 1:1.23.4-4.rhaos4.12.el8 |
| redhat/conmon | <2:2.1.2-4.rhaos4.12.el8 | 2:2.1.2-4.rhaos4.12.el8 |
| redhat/podman | <3:4.2.0-6.1.rhaos4.12.el8 | 3:4.2.0-6.1.rhaos4.12.el8 |
| redhat/skopeo | <2:1.9.4-3.rhaos4.12.el9 | 2:1.9.4-3.rhaos4.12.el9 |
| redhat/etcd | <0:3.3.23-12.el8 | 0:3.3.23-12.el8 |
| redhat/skupper-cli | <0:1.4.1-2.el8 | 0:1.4.1-2.el8 |
| redhat/skupper-cli | <0:1.4.1-2.el9 | 0:1.4.1-2.el9 |
| redhat/go | <1.19.2 | 1.19.2 |
| redhat/go | <1.18.7 | 1.18.7 |
| Golang Go | <1.18.7 | |
| Golang Go | >=1.19.0<1.19.2 |
Remedy
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://go.dev/issue/54663
- https://go.dev/cl/432976
- https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
- https://pkg.go.dev/vuln/GO-2022-1038
- https://security.gentoo.org/glsa/202311-09
- https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2132876
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2132877
- https://github.com/golang/go/issues/54663
- https://github.com/golang/go/commit/7c84234142149bd24a4096c6cab691d3593f3431
- https://github.com/golang/go/commit/9d2c73a9fd69e45876509bb3bdb2af99bf77da1e
- https://github.com/golang/go/commit/f6d844510d5f1e3b3098eba255d9b633d45eac3b
- https://access.redhat.com/errata/RHSA-2022:8781
- https://access.redhat.com/errata/RHSA-2022:7398
- https://access.redhat.com/errata/RHSA-2022:7399
- https://access.redhat.com/errata/RHSA-2023:0264
- https://access.redhat.com/errata/RHSA-2023:0328
- https://access.redhat.com/errata/RHSA-2023:0445
- https://access.redhat.com/errata/RHSA-2023:0446
- https://access.redhat.com/errata/RHSA-2023:0542
- https://access.redhat.com/errata/RHSA-2023:0631
- https://access.redhat.com/errata/RHSA-2023:0693
- https://access.redhat.com/errata/RHSA-2023:0708
- https://access.redhat.com/errata/RHSA-2023:0709
- https://access.redhat.com/errata/RHSA-2023:0727
- https://access.redhat.com/errata/RHSA-2023:1042
- https://access.redhat.com/errata/RHSA-2023:1174
- https://access.redhat.com/errata/RHSA-2023:1275
- https://access.redhat.com/errata/RHSA-2023:2167
- https://access.redhat.com/errata/RHSA-2023:2204
- https://access.redhat.com/errata/RHSA-2023:2357
- https://access.redhat.com/errata/RHSA-2023:2780
- https://access.redhat.com/errata/RHSA-2023:2784
- https://access.redhat.com/errata/RHSA-2023:2866
- https://access.redhat.com/errata/RHSA-2023:3205
- https://access.redhat.com/errata/RHSA-2023:0584
- https://access.redhat.com/security/cve/cve-2022-2880
- https://access.redhat.com/errata/RHSA-2023:3642
- https://access.redhat.com/errata/RHSA-2023:3664
- https://access.redhat.com/errata/RHSA-2023:3742
- https://access.redhat.com/errata/RHSA-2023:3613
- https://access.redhat.com/errata/RHSA-2023:4003
- https://access.redhat.com/errata/RHSA-2024:0121
- https://bugzilla.redhat.com/show_bug.cgi?id=2132868
- https://www.cve.org/CVERecord?id=CVE-2022-2880 https://nvd.nist.gov/vuln/detail/CVE-2022-2880 https://github.com/golang/go/issues/54663 https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1
- https://access.redhat.com/errata/RHSA-2022:8535
Parent vulnerabilities
(Appears in the following advisories)
- RHSA-2023:1174
- RHSA-2023:1042
- RHSA-2023:3664
- RHSA-2023:0708
- RHSA-2023:0584
- RHSA-2023:0631
- RHSA-2023:3642
- RHSA-2023:0445
- RHSA-2023:0446
- RHSA-2023:2780
- RHSA-2023:2784
- RHSA-2023:2866
- RHSA-2023:0328
- RHSA-2023:2167
- RHSA-2023:2204
- RHSA-2023:2357
- RHSA-2023:0693
- RHSA-2022:8535
- RHSA-2022:7398
- RHSA-2022:7399
- RHSA-2023:0727
- RHSA-2023:3613
- RHSA-2023:0542
- RHSA-2023:1275
- RHSA-2023:3205
- RHSA-2023:3742
- RHSA-2022:8781
- RHSA-2023:0264
- RHSA-2023:0709
- RHSA-2023:4003
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2022-2880.
What is the severity of CVE-2022-2880?
The severity of CVE-2022-2880 is high with a CVSS score of 7.5.
Which software packages are affected by CVE-2022-2880?
The affected software packages include go, openshift-serverless-clients, go-toolset, osbuild-composer, weldr-client, grafana, git-lfs, golang, ignition, openshift-clients, buildah, conmon, podman, skopeo, etcd, and skupper-cli.
What is the remediation for CVE-2022-2880?
The remediation for CVE-2022-2880 is to upgrade to version 1.19.2 of the go package.
Where can I find more information about CVE-2022-2880?
More information about CVE-2022-2880 can be found in the following references: [Link 1](https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1), [Link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2132876), [Link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2132877).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/mitre-cve
- collector/nvd-api
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-2880
- agent/software-canonical-lookup
- collector/redhat-cve
- vendor/golang
- canonical/golang go
- version/golang go/1.19.0
- package-manager/redhat