data/reports/GO-2022-0525.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.17.12
       - introduced: 1.18.0
         fixed: 1.18.4
     vulnerable_at: 1.18.3
     packages:
       - package: net/http
         symbols:
           - transferReader.parseTransferEncoding
 description: |
     The HTTP/1 client accepted some invalid Transfer-Encoding headers as
     indicating a "chunked" encoding. This could potentially allow for request
     smuggling, but only if combined with an intermediate server that also
     improperly failed to reject the header as invalid.
 published: 2022-07-25T17:34:18Z
 credit: Zeyu Zhang (https://www.zeyu2001.com/)
 references:
   - fix: https://go.dev/cl/409874
   - fix: https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f
   - report: https://go.dev/issue/53188
   - fix: https://go.dev/cl/410714
   - web: https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
 cve_metadata:
     id: CVE-2022-1705
     cwe: 'CWE-444: Inconsistent Interpretation of HTTP Requests (''HTTP Request Smuggling'')'
     description: |
         Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client
         in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling
         if combined with an intermediate server that also improperly fails to
         reject the header as invalid.
	modules:
	- module: std
	versions:
	- fixed: 1.17.12
	- introduced: 1.18.0
	fixed: 1.18.4
	vulnerable_at: 1.18.3
	packages:
	- package: net/http
	symbols:
	- transferReader.parseTransferEncoding
	description: \|
	The HTTP/1 client accepted some invalid Transfer-Encoding headers as
	indicating a "chunked" encoding. This could potentially allow for request
	smuggling, but only if combined with an intermediate server that also
	improperly failed to reject the header as invalid.
	published: 2022-07-25T17:34:18Z
	credit: Zeyu Zhang (https://www.zeyu2001.com/)
	references:
	- fix: https://go.dev/cl/409874
	- fix: https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f
	- report: https://go.dev/issue/53188
	- fix: https://go.dev/cl/410714
	- web: https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
	cve_metadata:
	id: CVE-2022-1705
	cwe: 'CWE-444: Inconsistent Interpretation of HTTP Requests (''HTTP Request Smuggling'')'
	description: \|
	Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client
	in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling
	if combined with an intermediate server that also improperly fails to
	reject the header as invalid.