7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
45.4%
golang.org/x/net/http2/h2c is vulnerable to HTTP Request Smuggling. The vulnerability exists in the h2cUpgrade
function of h2c.go
because it does not properly handle errors when reading the HTTP2 frames from the HTTP/1 request body using MaxBytesHandler
, which allows an attacker to send arbitrary HTTP2 requests to the server.
github.com/advisories/GHSA-fxg5-wq6x-vr4w
github.com/golang/go/issues/56352
github.com/golang/net/commit/702349b0e8628371f0e5ba0c10407448d60a67b1
go-review.googlesource.com/c/net/+/447396
go.dev/cl/447396
go.dev/issue/56352
lists.fedoraproject.org/archives/list/[email protected]/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN/
lists.fedoraproject.org/archives/list/[email protected]/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/
pkg.go.dev/vuln/GO-2023-1495
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
45.4%