Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2015-5739

Published: 18/10/2017 Updated: 10/05/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Go

Vulnerability Summary

The net/http library in net/textproto/reader.go in Go prior to 1.4.3 does not properly parse HTTP header keys, which allows remote malicious users to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."

Vulnerable Product Search on Vulmon Subscribe to Product

golang go

fedoraproject fedora 22

fedoraproject fedora 21

redhat enterprise linux server aus 7.4

redhat enterprise linux server eus 7.2

redhat enterprise linux server tus 7.6

redhat enterprise linux server eus 7.4

redhat enterprise linux server eus 7.5

redhat enterprise linux server eus 7.6

redhat enterprise linux server tus 7.2

redhat enterprise linux server 7.0

redhat enterprise linux server aus 7.2

redhat enterprise linux server aus 7.3

redhat enterprise linux server aus 7.6

redhat enterprise linux server eus 7.3

redhat enterprise linux server tus 7.3

Vendor Advisories

Debian CVElist Bug Report Logs: golang: CVE-2015-5739 CVE-2015-5740 CVE-2015-5741
Debian Bug report logs - #795106 golang: CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 Package: src:golang; Maintainer for src:golang is Go Compiler Team <team+go-compiler@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 10 Aug 2015 16:48:02 UTC Severity: important Tags: fixed-upstrea ...
Amazon Linux AMI: ALAS-2015-588
As discussed upstream -- <a href="seclistsorg/oss-sec/2015/q3/294">here </a> and <a href="seclistsorg/oss-sec/2015/q3/237">here</a> -- the Go project received notification of an HTTP request smuggling vulnerability in the net/http library Invalid headers are parsed as valid headers (like "Content Length:" w ...
Red Hat: CVE-2015-5739
HTTP-request vulnerabilities have been found in the Golang net/http and net/textproto libraries Request headers with double Content-Length fields do not generate a 400 error (the second field is ignored), and invalid fields are parsed as valid (for example, "Content Length:" with a space in the middle is accepted) A non-authenticated attacker co ...

References

CWE-444https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9https://bugzilla.redhat.com/show_bug.cgi?id=1250352http://seclists.org/oss-sec/2015/q3/294http://seclists.org/oss-sec/2015/q3/292http://seclists.org/oss-sec/2015/q3/237http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168029.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.htmlhttp://www.securityfocus.com/bid/76281http://rhn.redhat.com/errata/RHSA-2016-1538.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795106https://nvd.nist.govhttps://alas.aws.amazon.com/ALAS-2015-588.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook