Request Smuggling via MaxBytesHandler in Python Tornado
CVE-2022-41721 Published on January 13, 2023
Request smuggling due to improper request handling in golang.org/x/net/http2/h2c
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Vulnerability Analysis
CVE-2022-41721 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Products Associated with CVE-2022-41721
Want to know whenever a new CVE is published for GoLang H2c? stack.watch will email you.
Affected Versions
golang.org/x/net/http2/h2c:- Version 0.0.0-20220524220425-1d687d428aca and below 0.1.1-0.20221104162952-702349b0e862 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.