CVE-2022-2880 (GCVE-0-2022-2880)

Vulnerability from cvelistv5 – Published: 2022-10-14 00:00 – Updated: 2025-02-13 16:32
VLAI
Title
Incorrect sanitization of forwarded query parameters in net/http/httputil
Summary
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE
  • CWE-444 - Inconsistent Interpretation of HTTP Requests
Assigner
Go
References
Impacted products
Vendor Product Version
Go standard library net/http/httputil Affected: 0 , < 1.18.7 (semver)
Affected: 1.19.0-0 , < 1.19.2 (semver)
Create a notification for this product.
Credits
Gal Goldstein (Security Researcher, Oxeye) Daniel Abeles (Head of Research, Oxeye)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:52:59.582Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/54663"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/432976"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2022-1038"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/http/httputil",
          "product": "net/http/httputil",
          "programRoutines": [
            {
              "name": "ReverseProxy.ServeHTTP"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.18.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.19.2",
              "status": "affected",
              "version": "1.19.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Gal Goldstein (Security Researcher, Oxeye)"
        },
        {
          "lang": "en",
          "value": "Daniel Abeles (Head of Research, Oxeye)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-444: Inconsistent Interpretation of HTTP Requests",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-25T11:09:33.806Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/54663"
        },
        {
          "url": "https://go.dev/cl/432976"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2022-1038"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        }
      ],
      "title": "Incorrect sanitization of forwarded query parameters in net/http/httputil"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2022-2880",
    "datePublished": "2022-10-14T00:00:00.000Z",
    "dateReserved": "2022-08-17T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:32:39.111Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-2880",
      "date": "2026-06-10",
      "epss": "0.00031",
      "percentile": "0.09579"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.18.7\", \"matchCriteriaId\": \"9CB667C1-EC12-4400-B4F0-6D3B7DDAAD99\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.19.0\", \"versionEndExcluding\": \"1.19.2\", \"matchCriteriaId\": \"7614AA04-CA34-4ED8-B580-005EA84BD5B4\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.\"}, {\"lang\": \"es\", \"value\": \"Las peticiones reenviadas por ReverseProxy incluyen los par\\u00e1metros de consulta sin procesar de la petici\\u00f3n entrante, incluyendo par\\u00e1metros no analizables rechazados por net/http. Esto podr\\u00eda permitir el contrabando de par\\u00e1metros de consulta cuando un proxy Go reenv\\u00eda un par\\u00e1metro con un valor no analizable. Despu\\u00e9s de la correcci\\u00f3n, ReverseProxy sanea los par\\u00e1metros de consulta en la consulta reenviada cuando el campo Form de la petici\\u00f3n saliente es establecido despu\\u00e9s de que la funci\\u00f3n ReverseProxy. La funci\\u00f3n Director regresa, indicando que el proxy ha analizado los par\\u00e1metros de la consulta. Los proxies que no analizan los par\\u00e1metros de consulta contin\\u00faan reenviando los par\\u00e1metros de consulta originales sin cambios\"}]",
      "id": "CVE-2022-2880",
      "lastModified": "2024-11-21T07:01:51.610",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2022-10-14T15:15:18.090",
      "references": "[{\"url\": \"https://go.dev/cl/432976\", \"source\": \"security@golang.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://go.dev/issue/54663\", \"source\": \"security@golang.org\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU\", \"source\": \"security@golang.org\", \"tags\": [\"Mailing List\", \"Release Notes\"]}, {\"url\": \"https://pkg.go.dev/vuln/GO-2022-1038\", \"source\": \"security@golang.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202311-09\", \"source\": \"security@golang.org\"}, {\"url\": \"https://go.dev/cl/432976\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://go.dev/issue/54663\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Release Notes\"]}, {\"url\": \"https://pkg.go.dev/vuln/GO-2022-1038\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202311-09\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@golang.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-444\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-2880\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2022-10-14T15:15:18.090\",\"lastModified\":\"2024-11-21T07:01:51.610\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.\"},{\"lang\":\"es\",\"value\":\"Las peticiones reenviadas por ReverseProxy incluyen los par\u00e1metros de consulta sin procesar de la petici\u00f3n entrante, incluyendo par\u00e1metros no analizables rechazados por net/http. Esto podr\u00eda permitir el contrabando de par\u00e1metros de consulta cuando un proxy Go reenv\u00eda un par\u00e1metro con un valor no analizable. Despu\u00e9s de la correcci\u00f3n, ReverseProxy sanea los par\u00e1metros de consulta en la consulta reenviada cuando el campo Form de la petici\u00f3n saliente es establecido despu\u00e9s de que la funci\u00f3n ReverseProxy. La funci\u00f3n Director regresa, indicando que el proxy ha analizado los par\u00e1metros de la consulta. Los proxies que no analizan los par\u00e1metros de consulta contin\u00faan reenviando los par\u00e1metros de consulta originales sin cambios\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.18.7\",\"matchCriteriaId\":\"9CB667C1-EC12-4400-B4F0-6D3B7DDAAD99\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.19.0\",\"versionEndExcluding\":\"1.19.2\",\"matchCriteriaId\":\"7614AA04-CA34-4ED8-B580-005EA84BD5B4\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/432976\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/54663\",\"source\":\"security@golang.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU\",\"source\":\"security@golang.org\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2022-1038\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202311-09\",\"source\":\"security@golang.org\"},{\"url\":\"https://go.dev/cl/432976\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/54663\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2022-1038\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202311-09\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.