Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2015-5741

Опубликовано: 29 июл. 2015
Источник: redhat
CVSS2: 6.8
EPSS Низкий

Описание

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.

HTTP-request vulnerabilities have been found in the Golang net/http and net/textproto libraries. Request headers with double Content-Length fields do not generate a 400 error (the second field is ignored), and invalid fields are parsed as valid (for example, "Content Length:" with a space in the middle is accepted). A non-authenticated attacker could exploit these flaws to bypass security controls, perform web-cache poisoning, or alter the request/response map (denial of service).

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational ToolsgolangWill not fix
Red Hat OpenStack Platform 8 (Liberty) Operational ToolsgolangWill not fix
Red Hat Enterprise Linux 7golangFixedRHSA-2016:153802.08.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-444
https://bugzilla.redhat.com/show_bug.cgi?id=1250352golang: HTTP request smuggling in net/http library

EPSS

Процентиль: 82%
0.01751
Низкий

6.8 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2015-5741

CVSS3: 9.8
ubuntu
почти 6 лет назад

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.

nvd логотип

CVE-2015-5741

CVSS3: 9.8
nvd
почти 6 лет назад

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.

debian логотип

CVE-2015-5741

CVSS3: 9.8
debian
почти 6 лет назад

The net/http library in net/http/transfer.go in Go before 1.4.3 does n ...

github логотип

GHSA-vfw2-3mm4-xq2j

CVSS3: 9.8
github
больше 3 лет назад

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.

EPSS

Процентиль: 82%
0.01751
Низкий

6.8 Medium

CVSS2