PT-2017-6888 · Google+3 · Go+3

Régis Leroy

Published

2015-09-28

Updated

2022-01-05

CVE-2015-5739

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.4.3

Description The issue arises from improper parsing of HTTP header keys in the net/http library, specifically when a space is used instead of a hyphen, as seen in "Content Length" instead of "Content-Length". This allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.

Recommendations For Go versions prior to 1.4.3, update to version 1.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the net/http library until a patch is applied. Avoid using the Content-Length and Transfer-Encoding header fields in the affected API endpoints until the issue is resolved.

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

ALT-PU-2015-1812

CESA-2016_1538

CVE-2015-5739

GO-2021-0159

RHSA-2016:1538

RHSA-2016_1538

Affected Products

Alt Linux

Centos

Red Hat

PT-2017-6888 · Google+3 · Go+3

CVE-2015-5739

Weakness Enumeration

Related Identifiers

Affected Products

References · 43