Описание
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| golang-1.15 | fixed | 1.15.2-1 | package | |
| golang-1.14 | removed | package | ||
| golang-1.11 | removed | package | ||
| golang-1.11 | postponed | buster | package | |
| golang-1.8 | removed | package | ||
| golang-1.8 | no-dsa | stretch | package | |
| golang-1.7 | removed | package | ||
| golang-1.7 | no-dsa | stretch | package |
Примечания
https://groups.google.com/forum/#!topic/golang-announce/8wqlSbkLdPs
https://github.com/golang/go/issues/40928
https://github.com/golang/go/issues/41164 (1.14 backport)
https://github.com/golang/go/issues/41165 (1.15 backport)
https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may-lead-to-cross-site-scripting
Связанные уязвимости
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
