发布时间: 2022年10月21日
修改时间: 2025年3月4日
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request s Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
| NVD | openEuler | |
|---|---|---|
| Confidentiality | None | None |
| Attack Vector | Network | Network |
| CVSS评分 | 7.5 | 5.3 |
| Attack Complexity | Low | Low |
| Privileges Required | None | None |
| Scope | Unchanged | Unchanged |
| Integrity | High | None |
| User Interaction | None | None |
| Availability | None | Low |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2022-2566 | golang security update | 2022年10月21日 |
| KylinSec-SA-2025-1138 | podman security update | 2025年2月28日 |
| KylinSec-SA-2025-1601 | etcd security update | 2025年3月13日 |
| KylinSec-SA-2025-1606 | podman security update | 2025年3月18日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-4A | golang | Fixed |
| KY3.4-5A | golang | Fixed |
| V6 | golang | Fixed |
| KY3.5.1 | golang | Fixed |
| KY3.5.3 | golang | Fixed |
