CVE-2022-41721: 
Java vulnerability analysis and mitigation

A request smuggling attack vulnerability (CVE-2022-41721) was discovered in the MaxBytesHandler functionality. The vulnerability was identified in golang.org/x/net/http2/h2c package, affecting versions from v0.0.0-20220524220425-1d687d428aca before v0.1.1-0.20221104162952-702349b0e862. The issue occurs when the body of an HTTP request is not fully consumed, allowing potential attackers to manipulate HTTP2 requests (Go Vulnerability).

When using MaxBytesHandler, the handler fails to fully consume the HTTP request body. Subsequently, when the server attempts to read HTTP2 frames from the connection, it instead reads the body of the HTTP request. This vulnerability could allow attackers to manipulate these requests to represent arbitrary HTTP2 requests. The issue specifically affects the h2cHandler.ServeHTTP and h2cUpgrade components (Go Issue).

The vulnerability could enable attackers to perform request smuggling attacks, potentially leading to unauthorized access or manipulation of HTTP2 requests. Additionally, this could create a potential DOS vector in the http2 library (Go Issue).

The vulnerability was fixed in version v0.2.0 of the golang.org/x/net package. The fix was implemented through a patch that can be found at go.googlesource.com/net/+/702349b0e8628371f0e5ba0c10407448d60a67b1. Various distributions have also released updates to address this vulnerability, including Fedora's caddy package update to version 2.6.4 (Fedora Update).