Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-2880

UNKNOWN
Published 2022-10-14T00:00:00.000Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-2880. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Go standard library

net/http/httputil

Affected Versions:

0 1.19.0-0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed HIGH

GHSA-m3hq-grv6-h853

Advisory Details

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-2880
WEB https://go.dev/cl/432976
WEB https://go.dev/issue/54663
WEB https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/THKJHFMX4DAZXJ5MFPN3BNHZDN7BW5RI
WEB https://pkg.go.dev/vuln/GO-2022-1038
WEB https://security.gentoo.org/glsa/202311-09
WEB https://www.oxeye.io/blog/golang-parameter-smuggling-attack

Advisory provided by GitHub Security Advisory Database. Published: October 14, 2022, Modified: October 18, 2022

References

https://go.dev/issue/54663
https://go.dev/cl/432976
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
https://pkg.go.dev/vuln/GO-2022-1038
https://security.gentoo.org/glsa/202311-09
Published: 2022-10-14T00:00:00.000Z
Last Modified: 2025-02-13T16:32:39.111Z
Copied to clipboard!