Search for vulnerabilities
Vulnerability details: VCID-24ms-6tr4-aaas
Vulnerability ID VCID-24ms-6tr4-aaas
Aliases CVE-2022-2880
Summary Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2880.json
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00156 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00156 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00156 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00156 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00156 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00156 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00156 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00156 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00156 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00156 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00156 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00156 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00163 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00163 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00163 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
epss 0.00163 https://api.first.org/data/v1/epss?cve=CVE-2022-2880
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-2880
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-2880
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2880.json
https://api.first.org/data/v1/epss?cve=CVE-2022-2880
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2880
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://go.dev/cl/432976
https://go.dev/issue/54663
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/THKJHFMX4DAZXJ5MFPN3BNHZDN7BW5RI/
https://pkg.go.dev/vuln/GO-2022-1038
https://www.oxeye.io/blog/golang-parameter-smuggling-attack
2132868 https://bugzilla.redhat.com/show_bug.cgi?id=2132868
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
CVE-2022-2880 https://nvd.nist.gov/vuln/detail/CVE-2022-2880
GLSA-202311-09 https://security.gentoo.org/glsa/202311-09
RHSA-2022:7399 https://access.redhat.com/errata/RHSA-2022:7399
RHSA-2022:8535 https://access.redhat.com/errata/RHSA-2022:8535
RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781
RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264
RHSA-2023:0328 https://access.redhat.com/errata/RHSA-2023:0328
RHSA-2023:0445 https://access.redhat.com/errata/RHSA-2023:0445
RHSA-2023:0446 https://access.redhat.com/errata/RHSA-2023:0446
RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542
RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584
RHSA-2023:0631 https://access.redhat.com/errata/RHSA-2023:0631
RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693
RHSA-2023:0708 https://access.redhat.com/errata/RHSA-2023:0708
RHSA-2023:0709 https://access.redhat.com/errata/RHSA-2023:0709
RHSA-2023:0727 https://access.redhat.com/errata/RHSA-2023:0727
RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
RHSA-2023:1174 https://access.redhat.com/errata/RHSA-2023:1174
RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275
RHSA-2023:2167 https://access.redhat.com/errata/RHSA-2023:2167
RHSA-2023:2204 https://access.redhat.com/errata/RHSA-2023:2204
RHSA-2023:2357 https://access.redhat.com/errata/RHSA-2023:2357
RHSA-2023:2780 https://access.redhat.com/errata/RHSA-2023:2780
RHSA-2023:2784 https://access.redhat.com/errata/RHSA-2023:2784
RHSA-2023:2866 https://access.redhat.com/errata/RHSA-2023:2866
RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205
RHSA-2023:3613 https://access.redhat.com/errata/RHSA-2023:3613
RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
RHSA-2023:3664 https://access.redhat.com/errata/RHSA-2023:3664
RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121
RHSA-2024:2944 https://access.redhat.com/errata/RHSA-2024:2944
RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988
USN-6038-1 https://usn.ubuntu.com/6038-1/
USN-6038-2 https://usn.ubuntu.com/6038-2/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2880.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-2880
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-2880
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.05147
EPSS Score 0.00029
Published At March 28, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.