Уязвимость утечки клиентских IP-адресов в "net/http" через некорректное использование заголовка "X-Forwarded-For" в Go
Описание
Некорректное раскрытие клиентских IP-адресов в net/http возникает при вызове httputil.ReverseProxy.ServeHTTP с использованием Request.Header map, содержащим значение nil для заголовка X-Forwarded-For. Это приводит к тому, что ReverseProxy устанавливает IP-адрес клиента в качестве значения заголовка X-Forwarded-For.
Затронутые версии ПО
- Go до версии 1.17.12
- Go до версии 1.18.4
Тип уязвимости
Утечка информации
Ссылки
- Patch
- ExploitIssue TrackingThird Party Advisory
- Mailing ListPatch
- Mailing ListRelease Notes
- Vendor Advisory
- Patch
- ExploitIssue TrackingThird Party Advisory
- Mailing ListPatch
- Mailing ListRelease Notes
- Vendor Advisory
Уязвимые конфигурации
Одно из
EPSS
6.5 Medium
CVSS3
Дефекты
Связанные уязвимости
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
Improper exposure of client IP addresses in net/http before Go 1.17.12 ...
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
EPSS
6.5 Medium
CVSS3