CVE-2016-5386

Name of the Vulnerable Software and Affected Versions Go versions through 1.6

Description The issue allows remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request. This is due to the failure to address RFC 3875 section 4.1.18 namespace conflicts, which does not protect CGI applications from the presence of untrusted client data in the HTTP PROXY environment variable. An input validation flaw in the CGI components enables the HTTP PROXY environment variable to be set by the incoming Proxy header, changing where Go by default proxies all outbound HTTP requests.

Recommendations For Go versions through 1.6, as a temporary workaround, consider restricting the use of the HTTP PROXY environment variable to minimize the risk of exploitation. Avoid using the HTTP PROXY variable in the affected CGI applications until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.