Bug 1204025 - (CVE-2022-2880) VUL-0: CVE-2022-2880: go1.18,go1.19: net/http/httputil: ReverseProxy should not forward unparseable query parameters
(CVE-2022-2880)
VUL-0: CVE-2022-2880: go1.18,go1.19: net/http/httputil: ReverseProxy should n...
Status: RESOLVED FIXED
: 1204076 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/344237/
CVSSv3.1:SUSE:CVE-2022-2880:7.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-10-04 21:18 UTC by Jeff Kowalczyk
Modified: 2022-12-05 14:39 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2022-10-04 21:18:20 UTC
Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value.

ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

Thanks to Gal Goldstein (Security Researcher, Oxeye) and Daniel Abeles (Head of Research, Oxeye) for reporting this issue.

This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.
Comment 1 OBSbugzilla Bot 2022-10-05 03:35:09 UTC
This is an autogenerated message for OBS integration:
This bug (1204025) was mentioned in
https://build.opensuse.org/request/show/1008077 Factory / go1.18
https://build.opensuse.org/request/show/1008078 Factory / go1.19
Comment 3 Ali Abdallah 2022-10-06 14:15:19 UTC
*** Bug 1204076 has been marked as a duplicate of this bug. ***
Comment 4 Swamp Workflow Management 2022-10-20 01:20:32 UTC
SUSE-SU-2022:3669-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1200441,1204023,1204024,1204025
CVE References: CVE-2022-2879,CVE-2022-2880,CVE-2022-41715
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.19-1.19.2-150000.1.12.1
openSUSE Leap 15.3 (src):    go1.19-1.19.2-150000.1.12.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.19-1.19.2-150000.1.12.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.19-1.19.2-150000.1.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2022-10-20 01:21:33 UTC
SUSE-SU-2022:3668-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1193742,1204023,1204024,1204025
CVE References: CVE-2022-2879,CVE-2022-2880,CVE-2022-41715
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.18-1.18.7-150000.1.34.1
openSUSE Leap 15.3 (src):    go1.18-1.18.7-150000.1.34.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.18-1.18.7-150000.1.34.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.18-1.18.7-150000.1.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Marcus Meissner 2022-12-05 14:39:34 UTC
done