vulndb/data/osv/GO-2022-1038.json

{
  "id": "GO-2022-1038",
  "published": "0001-01-01T00:00:00Z",
  "modified": "0001-01-01T00:00:00Z",
  "aliases": [
    "CVE-2022-2880"
  ],
  "details": "Requests forwarded by ReverseProxy include the raw query parameters from\nthe inbound request, including unparseable parameters rejected by net/http.\nThis could permit query parameter smuggling when a Go proxy forwards a\nparameter with an unparseable value.\n\nAfter fix, ReverseProxy sanitizes the query parameters in the forwarded\nquery when the outbound request's Form field is set after the ReverseProxy.\nDirector function returns, indicating that the proxy has parsed the query\nparameters. Proxies which do not parse query parameters continue to forward\nthe original query parameters unchanged.\n",
  "affected": [
    {
      "package": {
        "name": "stdlib",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.7"
            },
            {
              "introduced": "1.19.0"
            },
            {
              "fixed": "1.19.2"
            }
          ]
        }
      ],
      "database_specific": {
        "url": "https://pkg.go.dev/vuln/GO-2022-1038"
      },
      "ecosystem_specific": {
        "imports": [
          {
            "path": "net/http/httputil",
            "symbols": [
              "ReverseProxy.ServeHTTP"
            ]
          }
        ]
      }
    }
  ],
  "references": [
    {
      "type": "REPORT",
      "url": "https://go.dev/issue/54663"
    },
    {
      "type": "FIX",
      "url": "https://go.dev/cl/432976"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
    }
  ],
  "credits": [
    {
      "name": "Gal Goldstein (Security Researcher, Oxeye) and Daniel Abeles (Head of Research, Oxeye)\n"
    }
  ]
}