Bug 1207206 - (CVE-2022-41721) VUL-0: CVE-2022-41721: TRACKERBUG: golang/net: http2/h2c: ineffective mitigation for unsafe io.ReadAll
VUL-0: CVE-2022-41721: TRACKERBUG: golang/net: http2/h2c: ineffective mitigat...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.5
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
Blocks: 1207207 1207208
  Show dependency treegraph
Reported: 2023-01-17 08:10 UTC by Thomas Leroy
Modified: 2023-01-17 08:15 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2023-01-17 08:10:10 UTC

A request smuggling attack is possible when using MaxBytesHandler. When using
MaxBytesHandler, the body of an HTTP request is not fully consumed. When the
server attempts to read HTTP2 frames from the connection, it will instead be
reading the body of the HTTP request, which could be attacker-manipulated to
represent arbitrary HTTP2 requests.

Comment 1 Thomas Leroy 2023-01-17 08:11:59 UTC
Two packages in Factory depend on a vulnerable version of http2/h2c:
- openSUSE:Factory/caddy v0.0.0-20220812165438-1d4ff48094d1
- openSUSE:Factory/traefik v0.0.0-20220927171203-f486391704dc