CVE-2022-41721
Summary
| CVE | CVE-2022-41721 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-01-13 23:15:00 UTC |
| Updated | 2023-11-07 03:52:00 UTC |
| Description | A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests. |
Risk And Classification
Problem Types: CWE-444
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| GO-2023-1495 - Go Packages | MISC | pkg.go.dev | |
| x/net/http2/h2c: ineffective mitigation for unsafe io.ReadAll · Issue #56352 · golang/go · GitHub | MISC | go.dev | |
| [SECURITY] Fedora 37 Update: caddy-2.6.4-1.fc37 - package-announce - Fedora Mailing-Lists | MISC | lists.fedoraproject.org | |
| go.dev/cl/447396 | MISC | go.dev | |
| [SECURITY] Fedora 38 Update: caddy-2.6.4-1.fc38 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 183725 Debian Security Update for golang-golang-x-net (CVE-2022-41721)
- 357051 Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2024-035
- 357058 Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2024-035
- 691065 Free Berkeley Software Distribution (FreeBSD) Security Update for traefik (428922c9-b07e-11ed-8700-5404a68ad561)
- 905281 Common Base Linux Mariner (CBL-Mariner) Security Update for opa (13029)
- 907409 Common Base Linux Mariner (CBL-Mariner) Security Update for opa (13029-1)