CVE-2022-1705
Improper sanitization of Transfer-Encoding headers in net/http
6.5
MEDIUM
CVSS 3.1
EPSS 0.06%
Description
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
How to fix CVE-2022-1705
To remediate CVE-2022-1705, upgrade the affected package to a fixed version below.
- —upgrade to 1.17.12 or later
- —no fix listed
- —upgrade to 1.19~rc1-1 or later
- —upgrade to 1.17.12 or later
Is CVE-2022-1705 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1.17.12, >= 1.18.0, < 1.18.4
- from 0
- from 0, < 1.19~rc1-1
- from 0, < 1.17.12, >= 1.18.0-0, < 1.18.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |