PT-2022-19246 · Go +9 · Go +9

Name of the Vulnerable Software and Affected Versions: Go versions prior to the fixed version Description: The issue concerns the ReverseProxy in Go, which includes raw query parameters from the inbound request, including unparsable parameters rejected by net/http, potentially permitting query...

CVE-2022-32148

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the...

AZL-79054 CVE-2022-32148 affecting package golang 1.25.7-1

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the...

Design/Logic Flaw

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the...

golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality...

CVE-2022-32148

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the...

CVE-2022-32148

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the...

CVE-2022-32148

CVE-2022-32148 affects Go’s net/http/httputil ReverseProxy. A nil value in Request.Header for X-Forwarded-For can trigger ReverseProxy.ServeHTTP to set the client IP as the header value, exposing the client IP. Affected component: net/http/httputil ReverseProxy handling. Root cause: improper hand...

OPENSUSE-SU-2022:10080-1 Security update for caddy

This update for caddy fixes the following issues: Update to version 2.5.2: admin: expect quoted ETags 4879 headers: Only replace known placeholders 4880 reverseproxy: Err 503 if all upstreams unavailable reverseproxy: Adjust new TLS Caddyfile directive names 4872 fileserver: Use safe redirects in...

GO-2022-0520 Exposure of client IP addresses in net/http

Client IP adresses may be unintentionally exposed via X-Forwarded-For headers. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy sets the client IP as the value of the X-Forwarded-For header, contrary to it...

Information Disclosure

go is vulnerable to information disclosure. The vulnerability exists in httputil.ReverseProxy.ServeHTTP with a Request.Header map containing nil value for the X-Forwarded-For header which allows to remote attacker to bypass security mechanism and access the sensitive information...

Mageia: Security Advisory (MGASA-2022-0262)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Updated golang packages fix security vulnerability

net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to...

CVE-2022-32148

A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality...

go -- multiple vulnerabilities

The Go project reports: net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also...

CVE-2021-33197

A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity...

CVE-2021-36221

A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy crash. The highest threat from this vulnerability is to Availability. Mitigation Mitigation for this issue is either not available or the...

Security Bulletin: Security Vulnerabilities affect IBM Cloud Private - Golang (CVE-2021-33197)

Summary Security Vulnerabilities affect IBM Cloud Private - Golang Vulnerability Details CVEID: CVE-2021-33197 DESCRIPTION: Golang Go could allow a remote attacker to bypass security restrictions, caused by a flaw in the ReverseProxy in net/http/httputil. By sending a specially-crafted request, a...

AlmaLinux 8 : go-toolset:rhel8 (ALSA-2021:4156)

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2021:4156 advisory. golang: net: lookup functions may return invalid host names CVE-2021-33195 golang: net/http/httputil: ReverseProxy forwards connection headers if first on...

EulerOS 2.0 SP10 : golang (EulerOS-SA-2022-1254)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler...