Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-33197

Опубликовано: 21 мая 2021
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.

A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity.

Отчет

  • Since OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.
  • For Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the golang-qpid-apache package.
  • In Service Telemetry Framework, because the flaw has a lower impact and the package is not directly used by STF, no updates will be provided at this time for the STF containers.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Serverlessknative-servingAffected
OpenShift Service Mesh 2.0servicemeshAffected
OpenShift Service Mesh 2.0servicemesh-grafanaAffected
OpenShift Service Mesh 2.0servicemesh-operatorWill not fix
OpenShift Service Mesh 2.0servicemesh-prometheusAffected
Red Hat Ceph Storage 2golangOut of support scope
Red Hat Ceph Storage 2grafanaOut of support scope
Red Hat Ceph Storage 3golangOut of support scope
Red Hat Ceph Storage 3golang-github-prometheus-node_exporterOut of support scope
Red Hat Ceph Storage 3grafanaOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=1989570golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty

EPSS

Процентиль: 2%
0.00017
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-33197

CVSS3: 5.3
ubuntu
почти 4 года назад

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.

nvd логотип

CVE-2021-33197

CVSS3: 5.3
nvd
почти 4 года назад

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.

msrc логотип

CVE-2021-33197

CVSS3: 5.3
msrc
9 месяцев назад

Описание отсутствует

debian логотип

CVE-2021-33197

CVSS3: 5.3
debian
почти 4 года назад

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ...

github логотип

GHSA-wqr7-cf9q-rvf7

CVSS3: 5.3
github
около 3 лет назад

Go before 1.15.12 and 1.16.x before 1.16.5 acts as an Unintended Proxy or Intermediary.

EPSS

Процентиль: 2%
0.00017
Низкий

5.3 Medium

CVSS3

Уязвимость CVE-2021-33197