Fluid Attacks Database

Description

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	>=0 <1.19~rc1-1	1.19~rc1-1
go	stdlib	>=0 <1.17.12	1.17.12
rpm rhel9	osbuild-composer	-	-
rpm rhel9	podman	-	-
rpm rhel9	toolbox	<0:0.0.99.3-5.el9	0:0.0.99.3-5.el9
rpm rhel8	weldr-client	-	-
rpm rhel8	go-toolset	<0:1.17.12-1.module+el8.6.0+16014+a372c00b	0:1.17.12-1.module+el8.6.0+16014+a372c00b
rpm rhel9	grafana-pcp	<0:3.2.0-3.el9	0:3.2.0-3.el9
rpm rhel8	osbuild-composer	-	-

1-10 of 23

Aliases

1. CVE-2022-17052. NVD-2022-17053. OSV-DEBIAN-2022-17054. OSV-2022-17055. OSV-GO-2022-05256. GCVE-2022-17057. SECURITY-TRACKER-CVE-2022-1705

References

1. https://go.dev/cl/4098742. https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f3. https://go.dev/issue/531884. https://go.dev/cl/4107145. https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE