blob: 9b3d61384eca827d66b909ca2d7454aabbd8e265 [file] [log] [blame]
id: GO-2022-1038
modules:
- module: std
versions:
- fixed: 1.18.7
- introduced: 1.19.0-0
- fixed: 1.19.2
vulnerable_at: 1.19.1
packages:
- package: net/http/httputil
symbols:
- ReverseProxy.ServeHTTP
summary: Incorrect sanitization of forwarded query parameters in net/http/httputil
description: |-
Requests forwarded by ReverseProxy include the raw query parameters from the
inbound request, including unparsable parameters rejected by net/http. This
could permit query parameter smuggling when a Go proxy forwards a parameter with
an unparsable value.
After fix, ReverseProxy sanitizes the query parameters in the forwarded query
when the outbound request's Form field is set after the ReverseProxy. Director
function returns, indicating that the proxy has parsed the query parameters.
Proxies which do not parse query parameters continue to forward the original
query parameters unchanged.
credits:
- Gal Goldstein (Security Researcher, Oxeye)
- Daniel Abeles (Head of Research, Oxeye)
references:
- report: https://go.dev/issue/54663
- fix: https://go.dev/cl/432976
- web: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
cve_metadata:
id: CVE-2022-2880
cwe: 'CWE-444: Inconsistent Interpretation of HTTP Requests'
references:
- https://security.gentoo.org/glsa/202311-09
review_status: REVIEWED