#VU21409 Inconsistent interpretation of HTTP requests in Go programming language


Published: 2019-09-29

Vulnerability identifier: #VU21409

Vulnerability risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16276

CWE-ID: CWE-444

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to Go programming language accepts and normalizes HTTP requests with malformed HTTP/1.1 headers containing a space before the colon. A remote attacker can use a malformed request to bypass configured filtration and gain access to presumably restricted functionality.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.13, 1.12.1 - 1.12.9, 1.11 - 1.11beta3

External links
http://groups.google.com/forum/m/#!topic/golang-announce/cszieYyuL9Q
http://github.com/golang/go/issues/34540
http://github.com/golang/go/commit/5a6ab1ec3e678640befebeb3318b746a64ad986c
http://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenShift Container Platform update for golang
Red Hat update for go-toolset:rhel8
Amazon Linux AMI update for golang
Red Hat update for go-toolset-1.12-golang
Amazon Linux AMI update for golang
OpenSUSE Linux update for go1.12
OpenSUSE Linux update for go1.12
Debian update for golang-1.11
HTTP request smuggling in Go programming language
Inconsistent interpretation of HTTP requests in go (Alpine package)