| modules: |
| - module: std |
| versions: |
| - fixed: 1.17.12 |
| - introduced: 1.18.0 |
| fixed: 1.18.4 |
| vulnerable_at: 1.18.3 |
| packages: |
| - package: net/http |
| symbols: |
| - Header.Clone |
| description: | |
| Client IP adresses may be unintentionally exposed via X-Forwarded-For |
| headers. |
| |
| When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map |
| containing a nil value for the X-Forwarded-For header, ReverseProxy sets |
| the client IP as the value of the X-Forwarded-For header, contrary to |
| its documentation. |
| |
| In the more usual case where a Director function sets the |
| X-Forwarded-For header value to nil, ReverseProxy leaves the header |
| unmodified as expected. |
| published: 2022-07-28T17:23:05Z |
| credit: Christian Mehlmauer |
| references: |
| - fix: https://go.dev/cl/412857 |
| - fix: https://go.googlesource.com/go/+/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a |
| - report: https://go.dev/issue/53423 |
| - web: https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE |
| cve_metadata: |
| id: CVE-2022-32148 |
| cwe: 'CWE-200: Information Exposure' |
| description: | |
| Improper exposure of client IP addresses in net/http before Go 1.17.12 |
| and Go 1.18.4 can be triggered by calling |
| httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a |
| nil value for the X-Forwarded-For header, which causes ReverseProxy to |
| set the client IP as the value of the X-Forwarded-For header. |
