A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Created caddy tracking bugs for this issue: Affects: fedora-36 [bug 2162187] Created golang-github-deepmap-oapi-codegen tracking bugs for this issue: Affects: fedora-all [bug 2162185] Created golang-x-net tracking bugs for this issue: Affects: epel-8 [bug 2162188] Affects: fedora-36 [bug 2162186] Created osbuild-composer tracking bugs for this issue: Affects: fedora-all [bug 2162184]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-41721
This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
This issue has been addressed in the following products: multicluster engine for Kubernetes 2.3 for RHEL 8 Via RHSA-2023:5421 https://access.redhat.com/errata/RHSA-2023:5421
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8 Via RHSA-2023:5442 https://access.redhat.com/errata/RHSA-2023:5442