blob: f715f74e29743b35246680639a10b640757763c3 [file] [log] [blame]
id: GO-2022-0520
modules:
- module: std
versions:
- fixed: 1.17.12
- introduced: 1.18.0-0
- fixed: 1.18.4
vulnerable_at: 1.18.3
packages:
- package: net/http
symbols:
- Header.Clone
summary: Exposure of client IP addresses in net/http
description: |-
Client IP adresses may be unintentionally exposed via X-Forwarded-For headers.
When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map
containing a nil value for the X-Forwarded-For header, ReverseProxy sets the
client IP as the value of the X-Forwarded-For header, contrary to its
documentation.
In the more usual case where a Director function sets the X-Forwarded-For header
value to nil, ReverseProxy leaves the header unmodified as expected.
published: 2022-07-28T17:23:05Z
credits:
- Christian Mehlmauer
references:
- fix: https://go.dev/cl/412857
- fix: https://go.googlesource.com/go/+/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a
- report: https://go.dev/issue/53423
- web: https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
cve_metadata:
id: CVE-2022-32148
cwe: 'CWE-200: Information Exposure'
description: |-
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go
1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a
Request.Header map containing a nil value for the X-Forwarded-For header, which
causes ReverseProxy to set the client IP as the value of the X-Forwarded-For
header.
review_status: REVIEWED