Bug 2162182 (CVE-2022-41721)
Summary: | CVE-2022-41721 x/net/http2/h2c: request smuggling | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Anten Skrabec <askrabec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | dfreiber, gparvin, jburrell, jwendell, jwon, lball, matzew, nboldt, njean, osbuilders, owatkins, pahickey, rcernich, rhuss, rogbas, scorneli, stcannon, teagle, twalsh, vkumar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | golang.org/x/net 0.1.1-0.20221104162952-702349b0e862 | Doc Type: | --- |
Doc Text: |
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead read the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-18 04:44:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2162188, 2162184, 2162185, 2162186, 2162187, 2163124, 2163125, 2232267, 2232706, 2232707 | ||
Bug Blocks: | 2161236 |
Description
Anten Skrabec
2023-01-19 03:52:13 UTC
Created caddy tracking bugs for this issue: Affects: fedora-36 [bug 2162187] Created golang-github-deepmap-oapi-codegen tracking bugs for this issue: Affects: fedora-all [bug 2162185] Created golang-x-net tracking bugs for this issue: Affects: epel-8 [bug 2162188] Affects: fedora-36 [bug 2162186] Created osbuild-composer tracking bugs for this issue: Affects: fedora-all [bug 2162184] This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-41721 This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627 This issue has been addressed in the following products: multicluster engine for Kubernetes 2.3 for RHEL 8 Via RHSA-2023:5421 https://access.redhat.com/errata/RHSA-2023:5421 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8 Via RHSA-2023:5442 https://access.redhat.com/errata/RHSA-2023:5442 |