CVE-2015-5739
published 2017-10-18CVE-2015-5739: The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP…
critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| golang | go | <= 1.4.2 | — |
| paloalto | pan-os | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_tus | — | — |
| redhat | enterprise_linux_server_tus | — | — |
| redhat | enterprise_linux_server_tus | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
GHSA
GHSA-92gr-8fh9-j8vq: The net/http library in net/textproto/reader
ghsa_unreviewed·2022-05-14
CVE-2015-5739 [CRITICAL] CWE-444 GHSA-92gr-8fh9-j8vq: The net/http library in net/textproto/reader
The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."
OSV
Request smuggling due to improper header parsing in net/http
osv·2022-01-05
CVE-2015-5739 Request smuggling due to improper header parsing in net/http
Request smuggling due to improper header parsing in net/http
HTTP headers were not properly parsed, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.
OSV
CVE-2015-5739: The net/http library in net/textproto/reader
osv·2017-10-18·CVSS 9.8
CVE-2015-5739 [CRITICAL] CVE-2015-5739: The net/http library in net/textproto/reader
The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."
Palo Alto
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
vendor_paloalto·2024-04-10·CVSS 9.8
CVE-2015-5739 [CRITICAL] PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2015-5739 This CVE is fixed in PAN-OS 11.0.4, and all later PAN-OS versions. CVE-2016-10228 This CVE is fixed in PAN-OS 11.1.3, and all later PAN-OS versions. CVE-2017-8923 This CVE is fixed in PAN-OS 10.2.8, 11.0.3, and all later PAN-OS versions. CVE-2017-9120 This CVE is fixed in PAN-OS 10.2.8, 11.0.3, and all later PAN-OS versions. CVE-2018-25009 This CVE is fixed in PAN-OS 10.2.8, 11.0.4, 11.1.3, and all later PAN-OS versions. CVE-2
Red Hat
golang: HTTP request smuggling in net/http library
vendor_redhat·2015-07-29·CVSS 9.8
CVE-2015-5739 [CRITICAL] CWE-444 golang: HTTP request smuggling in net/http library
golang: HTTP request smuggling in net/http library
The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."
HTTP-request vulnerabilities have been found in the Golang net/http and net/textproto libraries. Request headers with double Content-Length fields do not generate a 400 error (the second field is ignored), and invalid fields are parsed as valid (for example, "Content Length:" with a space in the middle is accepted). A non-authenticated attacker could exploit these flaws to bypass security controls, perform web-cache poisoning, or alter the request/response map (de
No detection rules found.
No public exploits indexed.
HackerOne
Multiple HTTP Smuggling reports
hackerone·2019-11-12·CVSS 9.8
[CRITICAL] Multiple HTTP Smuggling reports
Multiple HTTP Smuggling reports
Theses reports spreads other several years and are all about **HTTP Smuggling issues**
(HTTP Requests or Responses splitting, Cache Poisoning, Security filter bypass).
I've made reports on a wide range of open source projects, explaining
the (not always easy) problems to the various security maintainers and testing the fixs.
The starting point for this work was the 2005 work published by Amit Klein and some others:
* 2004 - Amit Klein : "Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" https://packetstormsecurity.com/papers/general/whitepaper_httpresponse.pdf
* 2005 - Chaim Linhart, Amit Klein, Ronen Heled, Steve Orrin: "HTTP Request Smuggling" https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
* 2006 -
Bugzilla
CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library
bugzilla·2015-08-05·CVSS 9.8
CVE-2015-5739 [CRITICAL] CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library
CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library
There have been found potentially exploitable flaws in Golang net/http library affecting versions 1.4.2 and 1.5.
Problems:
* Double Content-length headers in a request does not generate a 400 error, the second Content-length is ignored.
* Invalid headers are parsed as valid headers (like "Content Length:" with a space in the middle)
Exploitations:
In a situation where the net/http agent HTTP communication with the final
http clients is using some reverse proxy (reverse proxy cache, SSL
terminators, etc), some requests can be made exploiting the net/http HTTP
protocol violations.
Attacker could possibly:
* bypass security controls on theses previous elements
* perform some cache poisoning on the
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-October/168029.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1538.htmlhttp://seclists.org/oss-sec/2015/q3/237http://seclists.org/oss-sec/2015/q3/292http://seclists.org/oss-sec/2015/q3/294http://www.securityfocus.com/bid/76281https://bugzilla.redhat.com/show_bug.cgi?id=1250352https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-October/168029.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1538.htmlhttp://seclists.org/oss-sec/2015/q3/237http://seclists.org/oss-sec/2015/q3/292http://seclists.org/oss-sec/2015/q3/294http://www.securityfocus.com/bid/76281https://bugzilla.redhat.com/show_bug.cgi?id=1250352https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9
2017-10-18
Published