CVE-2022-41721

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions golang.org/x/net/http2/h2c (affected versions not specified)

Description A request smuggling attack is possible when using MaxBytesHandler. The body of an HTTP request is not fully consumed, and when the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request. This could be attacker-manipulated to represent arbitrary HTTP2 requests.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

AZL-13029

CVE-2022-41721

ECHO-FC94-9D86-65B0

GHSA-FXG5-WQ6X-VR4W

GO-2023-1495

OPENSUSE-SU-2024:12666-1

Affected Products

Astra Linux

Golang.Org/X/Net/Http2/H2C

CVE-2022-41721

Weakness Enumeration

Related Identifiers

Affected Products

References · 17