data/reports: add GO-2023-1495.yaml

tatianab · Tatiana Bradley · commit e501018ecb84 · 2023-01-13T22:39:40.000Z
Aliases: CVE-2022-41721 Updates #1495 Change-Id: I4a95c86b2b1815e8b774d00e810c3d110771456f Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/462082 Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> Reviewed-by: John Howard <howardjohn@google.com>
diff --git a/data/cve/v5/GO-2023-1495.json b/data/cve/v5/GO-2023-1495.json
@@ -0,0 +1,72 @@
+{
+  "dataType": "CVE_RECORD",
+  "dataVersion": "5.0",
+  "cveMetadata": {
+    "cveId": "CVE-2022-41721"
+  },
+  "containers": {
+    "cna": {
+      "providerMetadata": {
+        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+      },
+      "descriptions": [
+        {
+          "lang": "en",
+          "value": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests."
+        }
+      ],
+      "affected": [
+        {
+          "vendor": "golang.org/x/net",
+          "product": "golang.org/x/net/http2/h2c",
+          "collectionURL": "https://pkg.go.dev",
+          "packageName": "golang.org/x/net/http2/h2c",
+          "versions": [
+            {
+              "version": "0.0.0-20220524220425-1d687d428aca",
+              "lessThan": "0.1.1-0.20221104162952-702349b0e862",
+              "status": "affected",
+              "versionType": "semver"
+            }
+          ],
+          "programRoutines": [
+            {
+              "name": "h2cHandler.ServeHTTP"
+            },
+            {
+              "name": "h2cUpgrade"
+            }
+          ],
+          "defaultStatus": "unaffected"
+        }
+      ],
+      "problemTypes": [
+        {
+          "descriptions": [
+            {
+              "lang": "en",
+              "description": "CWE 444: Inconsistent Interpretation of HTTP Requests (\"HTTP Request/Response Smuggling)"
+            }
+          ]
+        }
+      ],
+      "references": [
+        {
+          "url": "https://go.dev/issue/56352"
+        },
+        {
+          "url": "https://go.dev/cl/447396"
+        },
+        {
+          "url": "https://pkg.go.dev/vuln/GO-2023-1495"
+        }
+      ],
+      "credits": [
+        {
+          "lang": "en",
+          "value": "John Howard (Google)"
+        }
+      ]
+    }
+  }
+}
diff --git a/data/osv/GO-2023-1495.json b/data/osv/GO-2023-1495.json
@@ -0,0 +1,60 @@
+{
+  "id": "GO-2023-1495",
+  "published": "0001-01-01T00:00:00Z",
+  "modified": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2022-41721"
+  ],
+  "details": "A request smuggling attack is possible when using MaxBytesHandler.\n\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.",
+  "affected": [
+    {
+      "package": {
+        "name": "golang.org/x/net",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.0.0-20220524220425-1d687d428aca"
+            },
+            {
+              "fixed": "0.1.1-0.20221104162952-702349b0e862"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "url": "https://pkg.go.dev/vuln/GO-2023-1495"
+      },
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "golang.org/x/net/http2/h2c",
+            "symbols": [
+              "h2cHandler.ServeHTTP",
+              "h2cUpgrade"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://go.dev/issue/56352"
+    },
+    {
+      "type": "FIX",
+      "url": "https://go.dev/cl/447396"
+    }
+  ],
+  "credits": [
+    {
+      "name": "John Howard (Google)"
+    }
+  ],
+  "schema_version": "1.3.1"
+}
diff --git a/data/reports/GO-2023-1495.yaml b/data/reports/GO-2023-1495.yaml
@@ -0,0 +1,26 @@
+modules:
+  - module: golang.org/x/net
+    versions:
+      - introduced: 0.0.0-20220524220425-1d687d428aca
+        fixed: 0.1.1-0.20221104162952-702349b0e862
+    vulnerable_at: 0.1.1-0.20221104145632-7a676822c292
+    packages:
+      - package: golang.org/x/net/http2/h2c
+        symbols:
+          - h2cHandler.ServeHTTP
+          - h2cUpgrade
+description: |
+    A request smuggling attack is possible when using MaxBytesHandler.
+
+    When using MaxBytesHandler, the body of an HTTP request is not fully
+    consumed. When the server attempts to read HTTP2 frames from the
+    connection, it will instead be reading the body of the HTTP request,
+    which could be attacker-manipulated to represent arbitrary HTTP2 requests.
+credit: John Howard (Google)
+references:
+  - report: https://go.dev/issue/56352
+  - fix: https://go.dev/cl/447396
+cve_metadata:
+    id: CVE-2022-41721
+    cwe: 'CWE 444: Inconsistent Interpretation of HTTP Requests ("HTTP Request/Response
+        Smuggling)'
