data/reports: add GO-2023-1495.yaml
Aliases: CVE-2022-41721
Updates golang/vulndb#1495
Change-Id: I4a95c86b2b1815e8b774d00e810c3d110771456f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/462082
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: John Howard <howardjohn@google.com>
diff --git a/data/cve/v5/GO-2023-1495.json b/data/cve/v5/GO-2023-1495.json
new file mode 100644
index 0000000..6137d36
--- /dev/null
+++ b/data/cve/v5/GO-2023-1495.json
@@ -0,0 +1,72 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2022-41721"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "golang.org/x/net",
+ "product": "golang.org/x/net/http2/h2c",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "golang.org/x/net/http2/h2c",
+ "versions": [
+ {
+ "version": "0.0.0-20220524220425-1d687d428aca",
+ "lessThan": "0.1.1-0.20221104162952-702349b0e862",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "h2cHandler.ServeHTTP"
+ },
+ {
+ "name": "h2cUpgrade"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 444: Inconsistent Interpretation of HTTP Requests (\"HTTP Request/Response Smuggling)"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/issue/56352"
+ },
+ {
+ "url": "https://go.dev/cl/447396"
+ },
+ {
+ "url": "https://pkg.go.dev/vuln/GO-2023-1495"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "John Howard (Google)"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2023-1495.json b/data/osv/GO-2023-1495.json
new file mode 100644
index 0000000..4ad7191
--- /dev/null
+++ b/data/osv/GO-2023-1495.json
@@ -0,0 +1,60 @@
+{
+ "id": "GO-2023-1495",
+ "published": "0001-01-01T00:00:00Z",
+ "modified": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2022-41721"
+ ],
+ "details": "A request smuggling attack is possible when using MaxBytesHandler.\n\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.",
+ "affected": [
+ {
+ "package": {
+ "name": "golang.org/x/net",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.0.0-20220524220425-1d687d428aca"
+ },
+ {
+ "fixed": "0.1.1-0.20221104162952-702349b0e862"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2023-1495"
+ },
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "golang.org/x/net/http2/h2c",
+ "symbols": [
+ "h2cHandler.ServeHTTP",
+ "h2cUpgrade"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "REPORT",
+ "url": "https://go.dev/issue/56352"
+ },
+ {
+ "type": "FIX",
+ "url": "https://go.dev/cl/447396"
+ }
+ ],
+ "credits": [
+ {
+ "name": "John Howard (Google)"
+ }
+ ],
+ "schema_version": "1.3.1"
+}
\ No newline at end of file
diff --git a/data/reports/GO-2023-1495.yaml b/data/reports/GO-2023-1495.yaml
new file mode 100644
index 0000000..067a9c8
--- /dev/null
+++ b/data/reports/GO-2023-1495.yaml
@@ -0,0 +1,26 @@
+modules:
+ - module: golang.org/x/net
+ versions:
+ - introduced: 0.0.0-20220524220425-1d687d428aca
+ fixed: 0.1.1-0.20221104162952-702349b0e862
+ vulnerable_at: 0.1.1-0.20221104145632-7a676822c292
+ packages:
+ - package: golang.org/x/net/http2/h2c
+ symbols:
+ - h2cHandler.ServeHTTP
+ - h2cUpgrade
+description: |
+ A request smuggling attack is possible when using MaxBytesHandler.
+
+ When using MaxBytesHandler, the body of an HTTP request is not fully
+ consumed. When the server attempts to read HTTP2 frames from the
+ connection, it will instead be reading the body of the HTTP request,
+ which could be attacker-manipulated to represent arbitrary HTTP2 requests.
+credit: John Howard (Google)
+references:
+ - report: https://go.dev/issue/56352
+ - fix: https://go.dev/cl/447396
+cve_metadata:
+ id: CVE-2022-41721
+ cwe: 'CWE 444: Inconsistent Interpretation of HTTP Requests ("HTTP Request/Response
+ Smuggling)'
