CVE-2022-1705

Public on 2022-08-10
Modified on 2024-04-08
Description
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
Severity
Medium severity
Medium
CVSS v3 Base Score
5.3
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
HAQM Linux 2 - Core go-rpm-macros 2022-10-17 ALAS2-2022-1863 Fixed
HAQM Linux 1 golang 2022-09-15 ALAS-2022-1635 Fixed
HAQM Linux 2 - Core golang 2022-09-15 ALAS2-2022-1846 Fixed
HAQM Linux 2 - Golang1.19 Extra golang 2023-08-07 ALAS2GOLANG1.19-2023-002 Fixed
HAQM Linux 2023 golang 2023-02-17 ALAS2023-2023-048 Fixed
HAQM Linux 2023 golang-github-cpuguy83-md2man 2023-02-17 ALAS2023-2023-047 Fixed
HAQM Linux 2 - Core golang-github-godbus-dbus 2022-10-17 ALAS2-2022-1858 Fixed
HAQM Linux 2 - Core golang-github-gorilla-context 2022-10-17 ALAS2-2022-1859 Fixed
HAQM Linux 2 - Core golang-github-gorilla-mux 2022-10-17 ALAS2-2022-1860 Fixed
HAQM Linux 2 - Core golang-github-kr-pty 2022-10-17 ALAS2-2022-1864 Fixed
HAQM Linux 2 - Core golang-github-syndtr-gocapability 2022-10-17 ALAS2-2022-1865 Fixed
HAQM Linux 2 - Core golang-googlecode-net 2022-10-17 ALAS2-2022-1861 Fixed
HAQM Linux 2 - Core golang-googlecode-sqlite 2022-10-17 ALAS2-2022-1862 Fixed
HAQM Linux 2 - Core golist 2022-09-15 ALAS2-2022-1847 Fixed
HAQM Linux 2023 golist 2023-02-17 ALAS2023-2023-046 Fixed
HAQM Linux 2 - Docker Extra runc 2022-09-30 ALAS2DOCKER-2022-020 Fixed

CVSS Scores

Score Type Score Vector
HAQM Linux CVSSv3 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD CVSSv3 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

Red Hat: CVE-2022-1705 Mitre: CVE-2022-1705