CVE-2022-41721
request smuggling vulnerability in net (Go)
What is CVE-2022-41721 About?
This vulnerability is a request smuggling attack possible when using `MaxBytesHandler` in Go's `golang.org/x/net/http2/h2c` package. It allows an attacker to manipulate the HTTP/2 stream by having the server misinterpret HTTP/1 body content as HTTP/2 frames. This can lead to bypassing security controls or injecting arbitrary requests, and exploitation is of medium complexity.
Affected Software
Technical Details
The vulnerability specifically impacts golang.org/x/net/http2/h2c when used with MaxBytesHandler. The core issue arises because MaxBytesHandler does not fully consume the body of an HTTP/1 request. If a client sends a request that is partially consumed as HTTP/1 and then transitions to HTTP/2, the unread portion of the HTTP/1 body can be misinterpreted by the server as HTTP/2 frames. An attacker can craft a request such that the HTTP/1 body contains valid-looking HTTP/2 frame data. The server, expecting HTTP/2 frames from the connection, will then process this attacker-controlled data as legitimate HTTP/2 requests, despite its origin as an HTTP/1 body. This can lead to request smuggling, allowing attackers to bypass security mechanisms (e.g., WAFs), access internal endpoints, or conduct other prohibited actions.
What is the Impact of CVE-2022-41721?
Successful exploitation may allow attackers to bypass security controls, access unauthorized resources, or inject arbitrary HTTP/2 requests into the internal network, potentially leading to data exfiltration or internal system compromise.
What is the Exploitability of CVE-2022-41721?
Exploitation is of medium complexity, requiring a detailed understanding of HTTP/1 and HTTP/2 protocol intricacies and how MaxBytesHandler operates. The prerequisite is a Go server utilizing golang.org/x/net/http2/h2c with MaxBytesHandler. No specific authentication is inherently required if the vulnerable component is publicly accessible and accepts unauthenticated requests. Privilege requirements are low from the attacker's perspective, as the attack manipulates protocol parsing. This is a remote vulnerability. Special conditions include the specific combination of h2c and MaxBytesHandler being in use. The likelihood of exploitation increases if the application uses these components and if the attacker can carefully craft byte streams to exploit the parsing boundary.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-41721?
Available Upgrade Options
- golang.org/x/net
- >0.0.0-20220524220425-1d687d428aca, <0.1.1-0.20221104162952-702349b0e862 → Upgrade to 0.1.1-0.20221104162952-702349b0e862
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-fxg5-wq6x-vr4w
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP
- https://go.dev/cl/447396
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5DXTLLWN6HKI5I35EUZRBISTNZJ75GP/
- https://go.dev/issue/56352
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3H3EWQXM2XL5AGBX6UL443JEJ3GQXJN
- https://osv.dev/vulnerability/GO-2023-1495
- https://cs.opensource.google/go/x/net
- https://pkg.go.dev/vuln/GO-2023-1495
- https://go.dev/cl/447396
What are Similar Vulnerabilities to CVE-2022-41721?
Similar Vulnerabilities: CVE-2021-3159 , CVE-2020-1968 , CVE-2020-10967 , CVE-2019-14889 , CVE-2018-1000858
