#VU21783 Inconsistent interpretation of HTTP requests in Go programming language - CVE-2015-5739


Vulnerability identifier: #VU21783

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-5739

CWE-ID: CWE-444

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to conduct an HTTP request smuggling attack on the target system.

The vulnerability exists due to the "net/http" library in "net/textproto/reader.go" does not properly parse HTTP header keys. A remote attacker can send a specially crafted HTTP request and conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."


Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1, 1.0.1 - 1.0.3, 1.1 - 1.1.2, 1.2 - 1.2.2, 1.3 - 1.3.3, 1.4 - 1.4.2

External links
https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for Business Automation
IBM Robotic Process Automation for Cloud Pak update for Go
Multiple vulnerabilities in IBM Concert Software
Multiple vulnerabilities in Go
Red Hat Enterprise Linux 7 update for golang
Inconsistent interpretation of HTTP requests in go (Alpine package)
Fedora 22 update for golang
Fedora EPEL 6 update for golang
Fedora 21 update for golang
Fedora 22 update for golang