RHSA-2023%3A0584
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8@sha256:13581442e0c3534437ba716096f7aad0c7d78a6bac74ffaaaac1c43605861d83_amd64 as a component of OSSO 1.1 for RHEL 8 | *, openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8@sha256:13581442e0c3534437ba716096f7aad0c7d78a6bac74ffaaaac1c43605861d83_amd64 |
| Red Hat | openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8@sha256:13581442e0c3534437ba716096f7aad0c7d78a6bac74ffaaaac1c43605861d83_amd64 as a component of OSSO 1.1 for RHEL 8 | *, openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8@sha256:13581442e0c3534437ba716096f7aad0c7d78a6bac74ffaaaac1c43605861d83_amd64, openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8@sha256:13581442e0c3534437ba716096f7aad0c7d78a6bac74ffaaaac1c43605861d83_amd64 |
| Red Hat | openshift-secondary-scheduler-operator/secondary-scheduler-operator-bundle@sha256:bae76f2dbbc1900048dc213026a284d7b8ef2cc07a0708eeafacacf14ae511b6_amd64 as a component of OSSO 1.1 for RHEL 8 | openshift-secondary-scheduler-operator/secondary-scheduler-operator-bundle@sha256:bae76f2dbbc1900048dc213026a284d7b8ef2cc07a0708eeafacacf14ae511b6_amd64, openshift-secondary-scheduler-operator/secondary-scheduler-operator-bundle@sha256:bae76f2dbbc1900048dc213026a284d7b8ef2cc07a0708eeafacacf14ae511b6_amd64, * |
| Red Hat | openshift-secondary-scheduler-operator/secondary-scheduler-operator-bundle@sha256:bae76f2dbbc1900048dc213026a284d7b8ef2cc07a0708eeafacacf14ae511b6_amd64 as a component of OSSO 1.1 for RHEL 8 | *, openshift-secondary-scheduler-operator/secondary-scheduler-operator-bundle@sha256:bae76f2dbbc1900048dc213026a284d7b8ef2cc07a0708eeafacacf14ae511b6_amd64 |
| golang | Go |
Timeline
- May 18, 2023 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
References
- https://access.redhat.com/errata/RHSA-2023:0584 advisory
- https://access.redhat.com/security/updates/classification/#moderate advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2113814 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2124668 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2124669 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2132868 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2132872 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2161274 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2178488 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2178492 issue
- https://issues.redhat.com/browse/WRKLDS-653 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0584.json advisory
- https://access.redhat.com/security/cve/CVE-2022-2880 advisory
- https://www.cve.org/CVERecord?id=CVE-2022-2880 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2022-2880 advisory
- https://github.com/golang/go/issues/54663 advisory
- https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1 advisory
- https://access.redhat.com/security/cve/CVE-2022-27664 advisory
- https://www.cve.org/CVERecord?id=CVE-2022-27664 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2022-27664 advisory
…and 36 more