SB2020020804 - Inconsistent interpretation of HTTP requests in GOland Go fro del
Published: February 8, 2020 Updated: July 17, 2020
Security Bulletin ID
SB2020020804
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2015-5741)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.
Remediation
Install update from vendor's website.
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168029.html
- http://seclists.org/oss-sec/2015/q3/237
- http://seclists.org/oss-sec/2015/q3/292
- http://seclists.org/oss-sec/2015/q3/294
- https://bugzilla.redhat.com/show_bug.cgi?id=1250352
- https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f