CVE-2019-16276HTTP Request Smuggling in GO

CWE-444HTTP Request Smuggling10 documents7 sources
Severity
7.5HIGHNVD
EPSS
9.8%
top 7.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Golang GODebian LinuxFedoraproject Fedora+5 more
Timeline
PublishedSep 30
Latest updateMay 24

Description

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDgolang/go1.131.13.1+1
NVDopensuse/leap15.0, 15.1+1

Also affects: Debian Linux 9.0, Fedora 29, 30, 31, Enterprise Linux 8.0, 8.1, Openshift Container Platform 4.2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
GHSA-xv7j-jr8q-mhmm: Go before 12022-05-24
OSV
Request smuggling due to accepting invalid headers in net/http via net/textproto2022-05-23
CVEList
CVE-2019-16276: Go before 12019-09-30
OSV
CVE-2019-16276: Go before 12019-09-30

📋Vendor Advisories

2
Red Hat
golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling2019-09-25
Microsoft
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.2019-09-10

💬Community

3
Bugzilla
CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling2019-09-26
Bugzilla
CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling [fedora-all]2019-09-26
Bugzilla
CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling [epel-all]2019-09-26
CVE-2019-16276 — HTTP Request Smuggling in Golang GO | cvebase