Fluid Attacks Database

Description

golang.org/x/net/http2/h2c vulnerable to request smuggling attack A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Specific Go Packages Affected

golang.org/x/net/http2/h2c

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	golang-golang-x-net	>=0 <1:0.4.0+dfsg-1	1:0.4.0+dfsg-1
go	golang.org/x/net/http2/h2c	>=0.0.0-20220524220425-1d687d428aca <0.1.1-0.20221104162952-702349b0e862	0.1.1-0.20221104162952-702349b0e862
debian 12	golang-golang-x-net	>=0 <1:0.4.0+dfsg-1	1:0.4.0+dfsg-1
debian 14	golang-golang-x-net	>=0 <1:0.4.0+dfsg-1	1:0.4.0+dfsg-1
go	golang.org/x/net	>=0.0.0-20220524220425-1d687d428aca <0.1.1-0.20221104162952-702349b0e862	0.1.1-0.20221104162952-702349b0e862
rpm rhel8	osbuild-composer	-	-
rpm rhel9	osbuild-composer	-	-

Aliases

1. CVE-2022-417212. NVD-2022-417213. OSV-DEBIAN-2022-417214. OSV-2022-417215. GHSA-fxg5-wq6x-vr4w6. GCVE-2022-417217. SECURITY-TRACKER-CVE-2022-41721

References

1. https://go.dev/cl/4473962. https://go.dev/issue/563523. https://pkg.go.dev/vuln/GO-2023-14954. https://lists.fedoraproject.org/archives/list/[email protected]/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN5. https://lists.fedoraproject.org/archives/list/[email protected]/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP