Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2019-16276

Published: 30/09/2019 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Golang

Vulnerability Summary

Go prior to 1.12.10 and 1.13.x prior to 1.13.1 allow HTTP Request Smuggling.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

golang go

debian debian linux 9.0

opensuse leap 15.0

opensuse leap 15.1

fedoraproject fedora 29

fedoraproject fedora 30

fedoraproject fedora 31

redhat openshift_container_platform 4.2

redhat enterprise linux 8.0

redhat developer tools 1.0

redhat enterprise linux eus 8.1

netapp cloud insights telegraf agent -

Vendor Advisories

Debian CVElist Bug Report Logs: [golang-1.12] Security patch for HTTP smuggling
Debian Bug report logs - #941173 [golang-112] Security patch for HTTP smuggling Package: golang-112; Maintainer for golang-112 is Go Compiler Team <team+go-compiler@trackerdebianorg>; Source for golang-112 is src:golang-112 (PTS, buildd, popcon) Reported by: Tim Sattarov <stimur@gmailcom> Date: Wed, 25 Sep 20 ...
Red Hat: Moderate: go-toolset-1.12-golang security update
Synopsis Moderate: go-toolset-112-golang security update Type/Severity Security Advisory: Moderate Topic An update for go-toolset-112 and go-toolset-112-golang is now available for Red Hat Developer ToolsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vul ...
Red Hat: Moderate: OpenShift Container Platform 4.2.21 openshift/installer security update
Synopsis Moderate: OpenShift Container Platform 4221 openshift/installer security update Type/Severity Security Advisory: Moderate Topic An update for ose-installer-artifacts-container and ose-installer-container is now available for Red Hat OpenShift Container Platform 42Red Hat Product Security has ra ...
Red Hat: Moderate: go-toolset:rhel8 security update
Synopsis Moderate: go-toolset:rhel8 security update Type/Severity Security Advisory: Moderate Topic An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring ...
Debian Security Advisories: DSA-4534-1 golang-1.11 -- security update
It was discovered that the Go programming language did accept and normalize invalid HTTP/11 headers with a space before the colon, which could lead to filter bypasses or request smuggling in some setups For the stable distribution (buster), this problem has been fixed in version 1116-1+deb10u2 We recommend that you upgrade your golang-111 pac ...
Amazon Linux AMI: ALAS-2020-1336
It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific networ ...
Amazon Linux AMI: ALAS-2019-1321
It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific networ ...
Amazon Linux 2: ALAS2-2019-1335
It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific networ ...
Amazon Linux 2: ALAS2-2020-1383
It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific networ ...
Arch Linux Issues:
net/http (through net/textproto) in Go before 1120 and 1131 used to accept and normalize invalid HTTP/11 headers with a space before the colon, in violation of RFC 7230 If a Go server is used behind a reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers ...

Github Repositories

https://github.com/stackrox/k8s-cves

Curated repo of Kubernetes CVEs

k8s-cves This repository is meant to be a single source of truth for Kubernetes-related CVEs The data gathered here is meant to be as up-to-date as possible Currently, the data comes from a combination of: NVD Kubernetes GitHub issues Announcements from kubernetes-security-announce Though this repository is meant to be a single source of truth, there may be mistakes We try

References

CWE-444https://github.com/golang/go/issues/34540http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.htmlhttps://security.netapp.com/advisory/ntap-20191122-0004/https://access.redhat.com/errata/RHSA-2020:0101https://access.redhat.com/errata/RHSA-2020:0329https://access.redhat.com/errata/RHSA-2020:0652https://lists.debian.org/debian-lts-announce/2021/03/msg00015.htmlhttps://lists.debian.org/debian-lts-announce/2021/03/msg00014.htmlhttps://groups.google.com/forum/#%21msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LULL72EUUKIY4NWDZVJVN2LIB4MXHS5P/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q5MD2F7ATWSTB45ZJIPJHBAAHVRGRAKG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7GMJ3VXF5RXK2C7CL66KJ6XOOTOL5BJ/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941173https://nvd.nist.govhttps://github.com/stackrox/k8s-cveshttps://groups.google.com/forum/#!msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJhttps://www.debian.org/security/2019/dsa-4534
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook