Bug 2162182 (CVE-2022-41721) - CVE-2022-41721 x/net/http2/h2c: request smuggling
Summary: CVE-2022-41721 x/net/http2/h2c: request smuggling
Keywords:
Status: NEW
Alias: CVE-2022-41721
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2162184 2162185 2162186 2162187 2162188 2163124 2163125
Blocks: 2161236
TreeView+ depends on / blocked
 
Reported: 2023-01-19 03:52 UTC by Anten Skrabec
Modified: 2023-02-08 18:16 UTC (History)
20 users (show)

Fixed In Version: golang.org/x/net 0.1.1-0.20221104162952-702349b0e862
Doc Type: ---
Doc Text:
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead read the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)

Description Anten Skrabec 2023-01-19 03:52:13 UTC 
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Comment 1 Anten Skrabec 2023-01-19 03:53:13 UTC 
Created caddy tracking bugs for this issue:

Affects: fedora-36 [bug 2162187]


Created golang-github-deepmap-oapi-codegen tracking bugs for this issue:

Affects: fedora-all [bug 2162185]


Created golang-x-net tracking bugs for this issue:

Affects: epel-8 [bug 2162188]
Affects: fedora-36 [bug 2162186]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2162184]
Note You need to log in before you can comment on or make changes to this bug.