Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-24553

Опубликовано: 01 авг. 2020
Источник: redhat
CVSS3: 6.1
EPSS Низкий

Описание

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

A flaw was found in the Go standard library packages before upstream versions 1.15 and 1.14.8. Both the net/http/cgi and net/http/fcgi packages use a default Content-Type response header value of "text/html", rather than "text/plain". This flaw allows an attacker to exploit this issue in applications using these packages by uploading crafted files, allowing a Cross-site Scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.

Отчет

Multiple components in the Red Hat OpenShift Container Platform are built with Go and use net/http, however, none include the specific vulnerable packages net/http/cgi and net/http/fcgi. Red Hat OpenShift Container Platform is not affected by this flaw.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Distributed Tracing Jaeger 1distributed-tracing/jaeger-all-in-one-rhel7Not affected
OpenShift ServerlessCLIAffected
OpenShift Service Mesh 1iorNot affected
OpenShift Service Mesh 1kialiNot affected
OpenShift Service Mesh 1openshift-service-mesh/3scale-istio-adapter-rhel8Not affected
OpenShift Service Mesh 1servicemeshNot affected
OpenShift Service Mesh 1servicemesh-cniNot affected
OpenShift Service Mesh 1servicemesh-grafanaNot affected
OpenShift Service Mesh 1servicemesh-operatorNot affected
OpenShift Service Mesh 1servicemesh-prometheusNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=1874857golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS

EPSS

Процентиль: 40%
0.00184
Низкий

6.1 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-24553

CVSS3: 6.1
ubuntu
больше 5 лет назад

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

nvd логотип

CVE-2020-24553

CVSS3: 6.1
nvd
больше 5 лет назад

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

msrc логотип

CVE-2020-24553

CVSS3: 6.1
msrc
больше 5 лет назад

Описание отсутствует

debian логотип

CVE-2020-24553

CVSS3: 6.1
debian
больше 5 лет назад

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html ...

suse-cvrf логотип

openSUSE-SU-2020:1587-1

suse-cvrf
больше 5 лет назад

Security update for go1.14

EPSS

Процентиль: 40%
0.00184
Низкий

6.1 Medium

CVSS3