CVE-2022-32148

CVE-2022-32148 affects Go’s net/http/httputil ReverseProxy. A nil value in Request.Header for X-Forwarded-For can trigger ReverseProxy.ServeHTTP to set the client IP as the header value, exposing the client IP. Affected component: net/http/httputil ReverseProxy handling. Root cause: improper hand...

CVE-2022-32148

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the...

CVE-2022-1705 Improper sanitization of Transfer-Encoding headers in net/http

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid...

CVE-2022-1705

CVE-2022-1705: In Go, the net/http HTTP/1 client accepted certain invalid Transfer-Encoding headers, enabling potential HTTP request smuggling when paired with an intermediary server that also fails to reject the header. Affected: Go’s HTTP/1 client prior to Go 1.17.12 and Go 1.18.4. Impact is ti...

CVE-2022-1705

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid...

CVE-2022-1705

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid...

CVE-2022-1705 Improper sanitization of Transfer-Encoding headers in net/http

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid...

Oracle Linux 8 : go-toolset:ol8 (ELSA-2022-5775)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-5775 advisory. delve 1.7.2-1.0.1 - Disable DWARF compression which has issues Alex Burmashev 1.7.2-1 - Rebase to 1.7.2 - Related: rhbz2014088 golang 1.17.12-1 - Updat...

golang: net/http: improper sanitization of Transfer-Encoding header

A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid...

CentOS 8 : go-toolset:rhel8 (CESA-2022:5775)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2022:5775 advisory. - golang: net/http: improper sanitization of Transfer-Encoding header CVE-2022-1705 - golang: go/parser: stack exhaustion in all Parse functions...

RHEL 9 : go-toolset and golang (RHSA-2022:5799)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:5799 advisory. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go...

Fedora: Security Advisory for golang-github-elazarl-bindata-assetfs (FEDORA-2022-ea8f4e232d)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 36 Update: golang-github-valyala-fasthttp-1.29.0-4.fc36

Fast HTTP package for Go. Tuned for high performance. Zero memory allocations in hot paths. Up to 10x faster than net/http...

[SECURITY] Fedora 36 Update: golang-github-elazarl-bindata-assetfs-1.0.1-10.fc36

Serve embedded files from jteeuwen/go-bindata with net/http...

GO-2022-0525 Improper sanitization of Transfer-Encoding headers in net/http

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid...

Mageia: Security Advisory (MGASA-2022-0262)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 35 Update: golang-github-elazarl-bindata-assetfs-1.0.1-9.fc35

Serve embedded files from jteeuwen/go-bindata with net/http...

GO-2022-0288 Unbounded memory growth in net/http and golang.org/x/net/http2

An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests...

GO-2022-0236 Panic due to large headers in net/http and golang.org/x/net/http/httpguts

A malicious HTTP server or client can cause the net/http client or server to panic. ReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header over 7MB on 64-bit architectures, or over 4MB on 32-bit ones. Transport and Client are vulnerable and the program can be...

FreeBSD : go -- multiple vulnerabilities (a4f2416c-02a0-11ed-b817-10c37b4ac2ea)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the a4f2416c-02a0-11ed-b817-10c37b4ac2ea advisory. - The Go project reports: net/http: improper sanitization of Transfer-Encoding header The HTTP...