CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
52.2%
Requests forwarded by ReverseProxy include the raw query parameters from
the inbound request, including unparsable parameters rejected by net/http.
This could permit query parameter smuggling when a Go proxy forwards a
parameter with an unparsable value. After fix, ReverseProxy sanitizes the
query parameters in the forwarded query when the outbound request’s Form
field is set after the ReverseProxy. Director function returns, indicating
that the proxy has parsed the query parameters. Proxies which do not parse
query parameters continue to forward the original query parameters
unchanged.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.13 | < 1.13.8-1ubuntu1~18.04.4+esm1 | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.13 | < 1.13.8-1ubuntu1.2 | UNKNOWN |
ubuntu | 22.04 | noarch | golang-1.13 | < 1.13.8-1ubuntu2.22.04.2 | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.13 | < 1.13.8-1ubuntu1~16.04.3+esm3 | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.14 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.16 | < 1.16.2-0ubuntu1~18.04.2+esm1 | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.16 | < 1.16.2-0ubuntu1~20.04.1 | UNKNOWN |
github.com/golang/go/commit/9d2c73a9fd69e45876509bb3bdb2af99bf77da1e (go1.18.7)
github.com/golang/go/commit/f6d844510d5f1e3b3098eba255d9b633d45eac3b (go1.19.2)
go.dev/issue/54663
launchpad.net/bugs/cve/CVE-2022-2880
nvd.nist.gov/vuln/detail/CVE-2022-2880
security-tracker.debian.org/tracker/CVE-2022-2880
ubuntu.com/security/notices/USN-6038-1
ubuntu.com/security/notices/USN-6038-2
www.cve.org/CVERecord?id=CVE-2022-2880