CVE-2019-16276 — HTTP Request Smuggling in GO

CWE-444 — HTTP Request Smuggling10 documents7 sources

Severity

7.5HIGHNVD

EPSS

9.8%

top 7.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Debian Linux Fedoraproject Fedora +5 more

Timeline

PublishedSep 30

Latest updateMay 24

Description

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDgolang/go1.13 — 1.13.1+1

▶NVDopensuse/leap15.0, 15.1+1

▶NVDredhat/developer_tools1.0

Also affects: Debian Linux 9.0, Fedora 29, 30, 31, Enterprise Linux 8.0, 8.1, Openshift Container Platform 4.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-xv7j-jr8q-mhmm: Go before 1↗2022-05-24

▶

OSV

Request smuggling due to accepting invalid headers in net/http via net/textproto↗2022-05-23

▶

CVEList

CVE-2019-16276: Go before 1↗2019-09-30

▶

OSV

CVE-2019-16276: Go before 1↗2019-09-30

▶

📋Vendor Advisories

Red Hat

golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling↗2019-09-25

▶

Microsoft

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.↗2019-09-10

▶

💬Community

Bugzilla

CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling↗2019-09-26

▶

Bugzilla

CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling [fedora-all]↗2019-09-26

▶

Bugzilla

CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling [epel-all]↗2019-09-26

▶