Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2015-5739

Опубликовано: 29 июл. 2015
Источник: redhat
CVSS2: 6.8
EPSS Средний

Описание

The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."

HTTP-request vulnerabilities have been found in the Golang net/http and net/textproto libraries. Request headers with double Content-Length fields do not generate a 400 error (the second field is ignored), and invalid fields are parsed as valid (for example, "Content Length:" with a space in the middle is accepted). A non-authenticated attacker could exploit these flaws to bypass security controls, perform web-cache poisoning, or alter the request/response map (denial of service).

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational ToolsgolangWill not fix
Red Hat OpenStack Platform 8 (Liberty) Operational ToolsgolangWill not fix
Red Hat Enterprise Linux 7golangFixedRHSA-2016:153802.08.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-444
https://bugzilla.redhat.com/show_bug.cgi?id=1250352golang: HTTP request smuggling in net/http library

EPSS

Процентиль: 95%
0.19207
Средний

6.8 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2015-5739

CVSS3: 9.8
ubuntu
больше 8 лет назад

The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."

nvd логотип

CVE-2015-5739

CVSS3: 9.8
nvd
больше 8 лет назад

The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."

debian логотип

CVE-2015-5739

CVSS3: 9.8
debian
больше 8 лет назад

The net/http library in net/textproto/reader.go in Go before 1.4.3 doe ...

github логотип

GHSA-92gr-8fh9-j8vq

CVSS3: 9.8
github
больше 3 лет назад

The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."

EPSS

Процентиль: 95%
0.19207
Средний

6.8 Medium

CVSS2