Описание
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| golang-1.19 | fixed | 1.19~rc1-1 | package | |
| golang-1.18 | fixed | 1.18.4-1 | package | |
| golang-1.17 | fixed | 1.17.13-1 | package | |
| golang-1.15 | removed | package | ||
| golang-1.15 | no-dsa | bullseye | package | |
| golang-1.11 | not-affected | package |
Примечания
https://go.dev/issue/53188
https://github.com/golang/go/commit/e5017a93fcde94f09836200bca55324af037ee5f (go1.19rc1)
https://github.com/golang/go/commit/222ee24a0046ae61679f4d97967e3b4058a3b90e (go1.18.4)
https://github.com/golang/go/commit/d13431c37ab62f9755f705731536ff74e7165b08 (go1.17.12)
Introduced by https://github.com/golang/go/commit/d5734d4f2dd1168dc3df94f2b9912299aea0c0ac (go1.15beta1)
EPSS
Связанные уязвимости
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
EPSS