CVE-2022-1705 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2022-1705

CVE-2022-1705

August 09, 2022

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.

Related Resources (11)

https://security.alpinelinux.org/vuln/CVE-2022-1705

https://people.canonical.com/~ubuntu-security/cve/CVE-2022-1705

https://access.redhat.com/security/cve/CVE-2022-1705

https://pkg.go.dev/vuln/GO-2022-0525

https://security-tracker.debian.org/tracker/CVE-2022-1705

https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f

https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

https://go.dev/issue/53188

https://go.dev/cl/410714

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/

https://go.dev/cl/409874

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-444

EPSS

Base Score:

0.05

Products

Solutions

Resources

Company

Compare

Developer Tools