CVE-2022-41721
First published: Fri Jan 13 2023(Updated: )
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests. ### Specific Go Packages Affected golang.org/x/net/http2/h2c
Credit: security@golang.org security@golang.org security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Golang H2c | <2022-11-04 | |
| go/golang.org/x/net | >=0.0.0-20220524220425-1d687d428aca<0.1.1-0.20221104162952-702349b0e862 | 0.1.1-0.20221104162952-702349b0e862 |
| redhat/golang.org/x/net 0.1.1-0.20221104162952 | <702349 | 702349 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-41721
- https://go.dev/cl/447396
- https://go.dev/issue/56352
- https://pkg.go.dev/vuln/GO-2023-1495
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/
- https://github.com/advisories/GHSA-fxg5-wq6x-vr4w (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2162187
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2162185
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2162188
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2162186
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2162184
- https://access.redhat.com/errata/RHSA-2023:1326
- https://access.redhat.com/security/cve/cve-2022-41721
- https://access.redhat.com/errata/RHSA-2023:4627
- https://access.redhat.com/errata/RHSA-2023:5421
- https://access.redhat.com/errata/RHSA-2023:5442
- https://bugzilla.redhat.com/show_bug.cgi?id=2162182
- https://www.cve.org/CVERecord?id=CVE-2022-41721 https://nvd.nist.gov/vuln/detail/CVE-2022-41721 https://go.dev/cl/447396 https://go.dev/issue/56352 https://pkg.go.dev/vuln/GO-2023-1495
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-41721?
CVE-2022-41721 is a vulnerability that allows for a request smuggling attack when using MaxBytesHandler.
What is the severity of CVE-2022-41721?
CVE-2022-41721 has a severity level of high.
How does CVE-2022-41721 work?
CVE-2022-41721 occurs when the body of an HTTP request is not fully consumed, allowing an attacker to manipulate the request and potentially carry out a request smuggling attack.
What software is affected by CVE-2022-41721?
The software affected by CVE-2022-41721 includes golang.org/x/net, golang.org/x/net/http2/h2c, and Golang H2c.
How can I fix CVE-2022-41721?
To fix CVE-2022-41721, update your affected software to the recommended version provided by the vendor.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory
- alias/GHSA-fxg5-wq6x-vr4w
- alias/CVE-2022-41721
- collector/github-advisory-latest
- collector/nvd-api
- collector/nvd-cve
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/redhat-cve
- package-manager/go
- vendor/golang
- canonical/golang h2c
- package-manager/redhat