Vulnerability Description
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.17.12 |
Related Weaknesses (CWE)
References
- https://go.dev/cl/409874PatchVendor Advisory
- https://go.dev/cl/410714PatchVendor Advisory
- https://go.dev/issue/53188ExploitIssue TrackingPatch
- https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5fPatchVendor Advisory
- https://groups.google.com/g/golang-announce/c/nqrv9fbR0zERelease NotesVendor Advisory
- https://pkg.go.dev/vuln/GO-2022-0525Vendor Advisory
- https://go.dev/cl/409874PatchVendor Advisory
- https://go.dev/cl/410714PatchVendor Advisory
- https://go.dev/issue/53188ExploitIssue TrackingPatch
- https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5fPatchVendor Advisory
- https://groups.google.com/g/golang-announce/c/nqrv9fbR0zERelease NotesVendor Advisory
- https://pkg.go.dev/vuln/GO-2022-0525Vendor Advisory
FAQ
What is CVE-2022-1705?
CVE-2022-1705 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also im...
How severe is CVE-2022-1705?
CVE-2022-1705 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-1705?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go.