Vulnerability Name: | CVE-2022-41721 (CCN-244775) | ||||||||||||
Assigned: | 2022-09-28 | ||||||||||||
Published: | 2023-01-13 | ||||||||||||
Updated: | 2023-01-24 | ||||||||||||
Summary: | Golang Go is vulnerable to HTTP request smuggling, caused by a flaw when using MaxBytesHandler. By sending a specially-crafted HTTP(S) transfer-encoding request header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. | ||||||||||||
CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
| ||||||||||||
Vulnerability Consequences: | Gain Access | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2022-41721 Source: XF Type: UNKNOWN golang-cve202241721-request-smuggling(244775) Source: CCN Type: Go GIT Repository x/net/http2/h2c: ineffective mitigation for unsafe io.ReadAll #56352 Source: CCN Type: GO-2023-1495 GO Source: CCN Type: IBM Security Bulletin 6959921 (Cloud Integration Platform) Automation Assets in IBM Cloud Pak for Integration is vulnerable to request smuggling in Go (CVE-2022-41721) Source: CCN Type: IBM Security Bulletin 6959923 (Cloud Integration Platform) Operations Dashboard is vulnerable to denial of service and request smuggling due to Go CVE-2022-41717 and CVE-2022-41721 Source: CCN Type: IBM Security Bulletin 6965352 (Spectrum Protect Plus Container Agent) Vulnerabilities in Pypa Setuptools, Golang Go, OpenSSH, Minio and Certifi may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift Source: CCN Type: IBM Security Bulletin 6980755 (CICS TX Standard) CVE-2022-41721 may affect IBM CICS TX Standard Source: CCN Type: IBM Security Bulletin 6982921 (Sterling Order Management) Golang Go vulnerability Source: CCN Type: IBM Security Bulletin 6983270 (Robotic Process Automation) Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. Source: CCN Type: IBM Security Bulletin 6984421 (Watson Discovery) IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go Source: CCN Type: IBM Security Bulletin 6986361 (Robotic Process Automation) Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. Source: CCN Type: IBM Security Bulletin 6997601 (CICS TX Advanced) CVE-2022-41723 and CVE-2022-41721 may affect IBM CICS TX Advanced Source: CCN Type: IBM Security Bulletin 7005485 (Cloud Pak for Network Automation) Cloud Pak for Network Automation 2.5.0 fixes multiple security vulnerabilities Source: CCN Type: IBM Security Bulletin 7005589 (Spectrum Protect Plus) Vulnerabilities in Apache Commons, Tomcat, Go, libcurl, OpenSSL, Python, Node.js, and Linux can affect IBM Spectrum Protect Plus. Source: CCN Type: IBM Security Bulletin 7008051 (Watson Speech Services Cartridge for Cloud Pak for Data) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to HTTP request smuggling in Golang Go ( CVE-2022-41721) Source: CCN Type: IBM Security Bulletin 7008449 (Db2 on Cloud Pak for Data) Multiple vulnerabilities affect IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data Source: CCN Type: IBM Security Bulletin 7009757 (Match 360) ICP Match 360 is vulnerable to the following CVEs Source: CCN Type: IBM Security Bulletin 7014659 (Cloud Transformation Advisor) IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities Source: CCN Type: Mend Vulnerability Database CVE-2022-41721 | ||||||||||||
Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||
BACK |