data/reports/GO-2022-1038.yaml - vulndb - Git at Google

 id: GO-2022-1038
 modules:
     - module: std
       versions:
         - fixed: 1.18.7
         - introduced: 1.19.0-0
           fixed: 1.19.2
       vulnerable_at: 1.19.1
       packages:
         - package: net/http/httputil
           symbols:
             - ReverseProxy.ServeHTTP
 summary: Incorrect sanitization of forwarded query parameters in net/http/httputil
 description: |-
     Requests forwarded by ReverseProxy include the raw query parameters from the
     inbound request, including unparsable parameters rejected by net/http. This
     could permit query parameter smuggling when a Go proxy forwards a parameter with
     an unparsable value.

     After fix, ReverseProxy sanitizes the query parameters in the forwarded query
     when the outbound request's Form field is set after the ReverseProxy. Director
     function returns, indicating that the proxy has parsed the query parameters.
     Proxies which do not parse query parameters continue to forward the original
     query parameters unchanged.
 credits:
     - Gal Goldstein (Security Researcher, Oxeye)
     - Daniel Abeles (Head of Research, Oxeye)
 references:
     - report: https://go.dev/issue/54663
     - fix: https://go.dev/cl/432976
     - web: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
 cve_metadata:
     id: CVE-2022-2880
     cwe: 'CWE-444: Inconsistent Interpretation of HTTP Requests'
	id: GO-2022-1038
	modules:
	- module: std
	versions:
	- fixed: 1.18.7
	- introduced: 1.19.0-0
	fixed: 1.19.2
	vulnerable_at: 1.19.1
	packages:
	- package: net/http/httputil
	symbols:
	- ReverseProxy.ServeHTTP
	summary: Incorrect sanitization of forwarded query parameters in net/http/httputil
	description: \|-
	Requests forwarded by ReverseProxy include the raw query parameters from the
	inbound request, including unparsable parameters rejected by net/http. This
	could permit query parameter smuggling when a Go proxy forwards a parameter with
	an unparsable value.

	After fix, ReverseProxy sanitizes the query parameters in the forwarded query
	when the outbound request's Form field is set after the ReverseProxy. Director
	function returns, indicating that the proxy has parsed the query parameters.
	Proxies which do not parse query parameters continue to forward the original
	query parameters unchanged.
	credits:
	- Gal Goldstein (Security Researcher, Oxeye)
	- Daniel Abeles (Head of Research, Oxeye)
	references:
	- report: https://go.dev/issue/54663
	- fix: https://go.dev/cl/432976
	- web: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
	cve_metadata:
	id: CVE-2022-2880
	cwe: 'CWE-444: Inconsistent Interpretation of HTTP Requests'