CVE-2022-41721: Request smuggling due to improper request handling in golang.org/x/net/http2/h2c
First published: Fri Jan 13 2023(Updated: )
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Credit: security@golang.org security@golang.org security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Golang H2c | <2022-11-04 | |
| go/golang.org/x/net | >=0.0.0-20220524220425-1d687d428aca<0.1.1-0.20221104162952-702349b0e862 | 0.1.1-0.20221104162952-702349b0e862 |
| redhat/golang.org/x/net 0.1.1-0.20221104162952 | <702349 | 702349 |
Remedy
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://go.dev/cl/447396
- https://go.dev/issue/56352
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/
- https://pkg.go.dev/vuln/GO-2023-1495
- https://nvd.nist.gov/vuln/detail/CVE-2022-41721
- https://github.com/advisories/GHSA-fxg5-wq6x-vr4w (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2022-41721 https://nvd.nist.gov/vuln/detail/CVE-2022-41721 https://go.dev/cl/447396 https://go.dev/issue/56352 https://pkg.go.dev/vuln/GO-2023-1495
- https://bugzilla.redhat.com/show_bug.cgi?id=2162182
- https://access.redhat.com/errata/RHSA-2023:4627
- https://access.redhat.com/errata/RHSA-2023:5421
- https://access.redhat.com/errata/RHSA-2023:5442
- https://access.redhat.com/errata/RHSA-2023:1326
- https://access.redhat.com/security/cve/cve-2022-41721
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2162187
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2162185
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2162188
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2162186
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2162184
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-41721?
CVE-2022-41721 is a vulnerability that allows for a request smuggling attack when using MaxBytesHandler.
What is the severity of CVE-2022-41721?
CVE-2022-41721 has a severity level of high.
How does CVE-2022-41721 work?
CVE-2022-41721 occurs when the body of an HTTP request is not fully consumed, allowing an attacker to manipulate the request and potentially carry out a request smuggling attack.
What software is affected by CVE-2022-41721?
The software affected by CVE-2022-41721 includes golang.org/x/net, golang.org/x/net/http2/h2c, and Golang H2c.
How can I fix CVE-2022-41721?
To fix CVE-2022-41721, update your affected software to the recommended version provided by the vendor.
- collector/nvd-api
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/author
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-41721
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-fxg5-wq6x-vr4w
- agent/description
- collector/nvd-cve
- source/NVD
- agent/references
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/event
- agent/tags
- agent/trending
- vendor/golang
- canonical/golang h2c
- package-manager/redhat
- package-manager/go