PT-2020-7870 · Go+3 · Go+3

Régis Leroy

Published

2015-09-28

Updated

2022-01-05

CVE-2015-5741

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Go versions prior to 1.4.3

Description: The issue is related to the improper parsing of HTTP headers in the net/http library, which allows remote attackers to conduct HTTP request smuggling attacks. This can be achieved via a request that contains Content-Length and Transfer-Encoding header fields.

Recommendations: For Go versions prior to 1.4.3, update to version 1.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the net/http library until a patch is applied. Avoid using the Content-Length and Transfer-Encoding header fields in requests to minimize the risk of exploitation.

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

ALT-PU-2015-1812

AZL-78996

CESA-2016_1538

CVE-2015-5741

GO-2021-0159

RHSA-2016:1538

RHSA-2016_1538

Affected Products

Alt Linux

Centos

Red Hat

PT-2020-7870 · Go+3 · Go+3

CVE-2015-5741

Weakness Enumeration

Related Identifiers

Affected Products

References · 24