PT-2023-14021 · Google+1 · Golang.Org/X/Net/Http2/H2C+1

John Howard

Publicado

2023-01-13

Atualizado

2025-04-04

CVE-2022-41721

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions golang.org/x/net/http2/h2c (affected versions not specified)

Description A request smuggling attack is possible when using MaxBytesHandler. The body of an HTTP request is not fully consumed, and when the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request. This could be attacker-manipulated to represent arbitrary HTTP2 requests.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

HTTP Request/Response Smuggling

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-444

Identificadores relacionados

AZL-13029

CVE-2022-41721

ECHO-FC94-9D86-65B0

GHSA-FXG5-WQ6X-VR4W

GO-2023-1495

OPENSUSE-SU-2024:12666-1

Produtos afetados

Astra Linux

Golang.Org/X/Net/Http2/H2C

PT-2023-14021 · Google+1 · Golang.Org/X/Net/Http2/H2C+1

CVE-2022-41721

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 17