CVE-2022-2880

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-2880
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-10-14 15:15:00 UTC
Updated2023-11-25 11:15:00 UTC
DescriptionRequests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

Risk And Classification

Problem Types: CWE-444

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Fedoraproject Fedora 37 All All All
Application Golang Go All All All All

References

ReferenceSourceLinkTags
Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security security.gentoo.org
[SECURITY] Fedora 37 Update: golang-1.19.2-1.fc37 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
net/http/httputil: ReverseProxy should not forward unparseable query parameters · Issue #54663 · golang/go · GitHub MISC go.dev
“ParseThru” – Exploiting HTTP Parameter Smuggling in Golang MISC www.oxeye.io
go.dev/cl/432976 MISC go.dev
[security] Go 1.19.2 and Go 1.18.7 are released MISC groups.google.com
GO-2022-1038 - Go Packages MISC pkg.go.dev
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 160322 Oracle Enterprise Linux Security Update for ol8addon (ELSA-2022-24267)
  • 160414 Oracle Enterprise Linux Security Update for go-toolset and golang (ELSA-2023-0328)
  • 160440 Oracle Enterprise Linux Security Update for go-toolset:ol8 (ELSA-2023-0446)
  • 160499 Oracle Enterprise Linux Security Update for ol8addon (ELSA-2023-18908)
  • 160582 Oracle Enterprise Linux Security Update for git-lfs (ELSA-2023-2357)
  • 160609 Oracle Enterprise Linux Security Update for image builder (ELSA-2023-2204)
  • 160619 Oracle Enterprise Linux Security Update for grafana security and enhancement update (ELSA-2023-2167)
  • 160655 Oracle Enterprise Linux Security Update for grafana (ELSA-2023-2784)
  • 160663 Oracle Enterprise Linux Security Update for git-lfs (ELSA-2023-2866)
  • 160666 Oracle Enterprise Linux Security Update for image builder (ELSA-2023-2780)
  • 161289 Oracle Enterprise Linux Security Update for container-tools:4.0 (ELSA-2024-0121)
  • 184637 Debian Security Update for golang-1.19 (CVE-2022-2880)
  • 199304 Ubuntu Security Notification for Go Vulnerabilities (USN-6038-1)
  • 241070 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2022:7398)
  • 241106 Red Hat Update for go-toolset and golang (RHSA-2023:0328)
  • 241132 Red Hat Update for go-toolset:rhel8 (RHSA-2023:0446)
  • 241187 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:0727)
  • 241268 Red Hat Update for multiple OpenStack Platforms (RHSA-2023:1275)
  • 241424 Red Hat Update for image builder security (RHSA-2023:2204)
  • 241453 Red Hat Update for grafana (RHSA-2023:2167)
  • 241467 Red Hat Update for git-lfs (RHSA-2023:2357)
  • 241485 Red Hat Update for grafana (RHSA-2023:2784)
  • 241490 Red Hat Update for image builder security (RHSA-2023:2780)
  • 241520 Red Hat Update for git-lfs (RHSA-2023:2866)
  • 241747 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:3613)
  • 242882 Red Hat Update for container-tools:4.0 (RHSA-2024:0121)
  • 354890 Amazon Linux Security Advisory for golang : ALAS2-2023-2015
  • 355216 Amazon Linux Security Advisory for golang : ALAS2023-2023-175
  • 356304 Amazon Linux Security Advisory for golang : ALASGOLANG1.19-2023-002
  • 378046 Alibaba Cloud Linux Security Update for go-toolset:rhel8 (ALINUX3-SA-2023:0028)
  • 378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
  • 378652 Alibaba Cloud Linux Security Update for git-lfs (ALINUX3-SA-2023:0071)
  • 378707 Alibaba Cloud Linux Security Update for grafana (ALINUX3-SA-2023:0075)
  • 378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
  • 502529 Alpine Linux Security Update for go
  • 502859 Alpine Linux Security Update for go
  • 672413 EulerOS Security Update for golang (EulerOS-SA-2022-2795)
  • 672476 EulerOS Security Update for golang (EulerOS-SA-2023-1035)
  • 672519 EulerOS Security Update for golang (EulerOS-SA-2023-1010)
  • 672528 EulerOS Security Update for golang (EulerOS-SA-2023-1100)
  • 672533 EulerOS Security Update for golang (EulerOS-SA-2023-1124)
  • 672621 EulerOS Security Update for golang (EulerOS-SA-2023-1385)
  • 672650 EulerOS Security Update for golang (EulerOS-SA-2023-1357)
  • 672761 EulerOS Security Update for golang (EulerOS-SA-2023-1505)
  • 690952 Free Berkeley Software Distribution (FreeBSD) Security Update for go (854c2afb-4424-11ed-af97-adcabf310f9b)
  • 710791 Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)
  • 753218 SUSE Enterprise Linux Security Update for go1.19 (SUSE-SU-2022:3669-1)
  • 753359 SUSE Enterprise Linux Security Update for go1.18 (SUSE-SU-2022:3668-1)
  • 754047 SUSE Enterprise Linux Security Update for go1.18-openssl (SUSE-SU-2023:2312-1)
  • 770172 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2022:7398)
  • 770176 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:0727)
  • 770197 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:3613)
  • 904230 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11155)
  • 904255 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11129)
  • 907517 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11129-1)
  • 907753 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11155-1)
  • 907855 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11129-2)
  • 908054 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (11129-4)
  • 940905 AlmaLinux Security Update for go-toolset and golang (ALSA-2023:0328)
  • 940911 AlmaLinux Security Update for go-toolset:rhel8 (ALSA-2023:0446)
  • 941046 AlmaLinux Security Update for grafana (ALSA-2023:2167)
  • 941053 AlmaLinux Security Update for git-lfs (ALSA-2023:2357)
  • 941063 AlmaLinux Security Update for Image (ALSA-2023:2204)
  • 941104 AlmaLinux Security Update for grafana (ALSA-2023:2784)
  • 941108 AlmaLinux Security Update for git-lfs (ALSA-2023:2866)
  • 941118 AlmaLinux Security Update for Image (ALSA-2023:2780)
  • 941535 AlmaLinux Security Update for container-tools:4.0 (ALSA-2024:0121)
  • 960489 Rocky Linux Security Update for go-toolset and golang (RLSA-2023:0328)
  • 960609 Rocky Linux Security Update for go-toolset:rhel8 (RLSA-2023:0446)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report