{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-2880", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "assignerShortName": "Go", "dateUpdated": "2023-06-12T19:12:40.079Z", "dateReserved": "2022-08-17T00:00:00", "datePublished": "2022-10-14T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-06-12T19:12:40.079Z"}, "title": "Incorrect sanitization of forwarded query parameters in net/http/httputil", "descriptions": [{"lang": "en", "value": "Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged."}], "affected": [{"vendor": "Go standard library", "product": "net/http/httputil", "collectionURL": "https://pkg.go.dev", "packageName": "net/http/httputil", "versions": [{"version": "0", "lessThan": "1.18.7", "status": "affected", "versionType": "semver"}, {"version": "1.19.0-0", "lessThan": "1.19.2", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "ReverseProxy.ServeHTTP"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests"}]}], "references": [{"url": "https://go.dev/issue/54663"}, {"url": "https://go.dev/cl/432976"}, {"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"}, {"url": "https://pkg.go.dev/vuln/GO-2022-1038"}, {"url": "https://security.gentoo.org/glsa/202311-09"}], "credits": [{"lang": "en", "value": "Gal Goldstein (Security Researcher, Oxeye)"}, {"lang": "en", "value": "Daniel Abeles (Head of Research, Oxeye)"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CB667C1-EC12-4400-B4F0-6D3B7DDAAD99", "versionEndExcluding": "1.18.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "7614AA04-CA34-4ED8-B580-005EA84BD5B4", "versionEndExcluding": "1.19.2", "versionStartIncluding": "1.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged."}, {"lang": "es", "value": "Las peticiones reenviadas por ReverseProxy incluyen los par\u00e1metros de consulta sin procesar de la petici\u00f3n entrante, incluyendo par\u00e1metros no analizables rechazados por net/http. Esto podr\u00eda permitir el contrabando de par\u00e1metros de consulta cuando un proxy Go reenv\u00eda un par\u00e1metro con un valor no analizable. Despu\u00e9s de la correcci\u00f3n, ReverseProxy sanea los par\u00e1metros de consulta en la consulta reenviada cuando el campo Form de la petici\u00f3n saliente es establecido despu\u00e9s de que la funci\u00f3n ReverseProxy. La funci\u00f3n Director regresa, indicando que el proxy ha analizado los par\u00e1metros de la consulta. Los proxies que no analizan los par\u00e1metros de consulta contin\u00faan reenviando los par\u00e1metros de consulta originales sin cambios"}], "id": "CVE-2022-2880", "lastModified": "2023-11-25T11:15:09.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-14T15:15:18.090", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/432976"}, {"source": "security@golang.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://go.dev/issue/54663"}, {"source": "security@golang.org", "tags": ["Mailing List", "Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2022-1038"}, {"source": "security@golang.org", "url": "https://security.gentoo.org/glsa/202311-09"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}