First Last Prev Next    This bug is not in your last search results.
Bug 1207206 - (CVE-2022-41721) VUL-0: CVE-2022-41721: TRACKERBUG: golang/net: http2/h2c: ineffective mitigation for unsafe io.ReadAll
(CVE-2022-41721)
VUL-0: CVE-2022-41721: TRACKERBUG: golang/net: http2/h2c: ineffective mitigat...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.5
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/353753/
:
Depends on:
Blocks: 1207207 1207208
  Show dependency treegraph
 
Reported: 2023-01-17 08:10 UTC by Thomas Leroy
Modified: 2023-01-17 08:15 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2023-01-17 08:10:10 UTC 
CVE-2022-41721

A request smuggling attack is possible when using MaxBytesHandler. When using
MaxBytesHandler, the body of an HTTP request is not fully consumed. When the
server attempts to read HTTP2 frames from the connection, it will instead be
reading the body of the HTTP request, which could be attacker-manipulated to
represent arbitrary HTTP2 requests.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41721
https://www.cve.org/CVERecord?id=CVE-2022-41721
https://go.dev/cl/447396
https://go.dev/issue/56352
https://pkg.go.dev/vuln/GO-2023-1495
Comment 1 Thomas Leroy 2023-01-17 08:11:59 UTC 
Two packages in Factory depend on a vulnerable version of http2/h2c:
- openSUSE:Factory/caddy v0.0.0-20220812165438-1d4ff48094d1
- openSUSE:Factory/traefik v0.0.0-20220927171203-f486391704dc
First Last Prev Next    This bug is not in your last search results.