Fluid Attacks Database

Description

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=0 <1.17.12	1.17.12
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	>=0 <1.19~rc1-1	1.19~rc1-1
rpm rhel9	grafana-pcp	<0:3.2.0-3.el9	0:3.2.0-3.el9
rpm rhel9	skopeo	-	-
rpm rhel9	buildah	-	-
rpm rhel8	git-lfs	<0:2.13.3-3.el8_6	0:2.13.3-3.el8_6
rpm rhel9	git-lfs	<0:3.2.0-1.el9	0:3.2.0-1.el9
rpm rhel8	go-toolset	<0:1.17.12-1.module+el8.6.0+16014+a372c00b	0:1.17.12-1.module+el8.6.0+16014+a372c00b
rpm rhel9	go-toolset	-	-

1-10 of 18

Aliases

1. CVE-2022-321482. NVD-2022-321483. OSV-GO-2022-05204. OSV-2022-321485. OSV-DEBIAN-2022-321486. GCVE-2022-321487. SECURITY-TRACKER-CVE-2022-32148

References

1. https://go.dev/cl/4128572. https://go.googlesource.com/go/+/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a3. https://go.dev/issue/534234. https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.