GO-2022-0212

See a problem?

Source

https://pkg.go.dev/vuln/GO-2022-0212

Import Source

https://vuln.go.dev/ID/GO-2022-0212.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0212

Aliases

CVE-2019-16276

Published

2022-05-23T22:46:20Z

Modified

2024-05-20T16:03:47Z

Summary

Request smuggling due to accepting invalid headers in net/http via net/textproto

Details

net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.

If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

References

Credits

- Andrew Stucki (99designs.com)
- Adam Scarr (99designs.com)
- Jan Masarik (masarik.sh)

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.10

Introduced

1.13.0-0

Fixed

1.13.1

Ecosystem specific

{
    "imports": [
        {
            "path": "net/textproto",
            "symbols": [
                "Reader.ReadMimeHeader"
            ]
        }
    ]
}