CVE-2020-15586
published 2020-07-17CVE-2020-15586: Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a…
PriorityP432medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
2.89%
85.2th percentile
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cloudfoundry | cf-deployment | < 13.7.0 | 13.7.0 |
| cloudfoundry | routing-release | < 0.203.0 | 0.203.0 |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | golang-1.15 | < golang-1.15 1.15~rc1-1 (bullseye) | golang-1.15 1.15~rc1-1 (bullseye) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| golang | go | < 1.13.13 | 1.13.13 |
| golang | go | >= 1.14.0 < 1.14.5 | 1.14.5 |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_golang_1.15.13-1_on_cbl_mariner_1.0 | — | — |
| msrc | golang-1.15.13-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm | — | — |
| msrc | golang-1.15.13-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64 | — | — |
| msrc | python3-tensorboard-2.16.2-2.azl3.x86_64.rpm_on_azure_linux_3.0_x64 | — | — |
| msrc | python3-tensorboard-data-server-2.16.2-2.azl3.x86_64.rpm_on_azure_linux_3.0_x64 | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.9MEDIUM
vendor_debian5.9MEDIUM
vendor_msrc5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9rmg-8r3f-xrq7: Go before 1
ghsa_unreviewed·2022-05-24
CVE-2020-15586 [MEDIUM] CWE-362 GHSA-9rmg-8r3f-xrq7: Go before 1
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
OSV
Data race and crash in net/http
osv·2022-02-17
CVE-2020-15586 Data race and crash in net/http
Data race and crash in net/http
HTTP servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected.
OSV
CVE-2020-15586: Go before 1
osv·2020-07-17·CVSS 5.9
CVE-2020-15586 [MEDIUM] CVE-2020-15586: Go before 1
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
Red Hat
golang: data race in certain net/http servers including ReverseProxy can lead to DoS
vendor_redhat·2020-07-14·CVSS 5.9
CVE-2020-15586 [MEDIUM] CWE-362 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
golang: data race in certain net/http servers including ReverseProxy can lead to DoS
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability.
Statement: OpenShift Container Platform (OCP) components are primarily written in Go, meaning that any component using the net/http package includes the vulnerable code. OCP server endpoints using ReverseProxy are protected by authentication, reducing the
Microsoft
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers as demonstrated by the httputil.ReverseProxy Handler because it reads a request body and writes a response at the sa
vendor_msrc·2020-07-14·CVSS 5.9
CVE-2020-15586 [MEDIUM] CWE-362 Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers as demonstrated by the httputil.ReverseProxy Handler because it reads a request body and writes a response at the sa
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers as demonstrated by the httputil.ReverseProxy Handler because it reads a request body and writes a response at the same time.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will up
Debian
CVE-2020-15586: golang-1.15 - Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http serv...
vendor_debian·2020·CVSS 5.9
CVE-2020-15586 [MEDIUM] CVE-2020-15586: golang-1.15 - Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http serv...
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
Scope: local
bullseye: resolved (fixed in 1.15~rc1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS [fedora-all]
bugzilla·2020-07-14·CVSS 5.9
CVE-2020-15586 [MEDIUM] CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS [fedora-all]
CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
Bugzilla
CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS [epel-all]
bugzilla·2020-07-14·CVSS 5.9
CVE-2020-15586 [MEDIUM] CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS [epel-all]
CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affe
Bugzilla
CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
bugzilla·2020-07-14·CVSS 5.9
CVE-2020-15586 [MEDIUM] CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
Servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected.
References:
https://github.com/golang/go/issues/34902
https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/XZNfaiwgt2w/E6gHDs32AQAJ
Discussion:
Created golang tracking bugs for this issue:
Affects: epel-all [bug 1856956]
Affects: fedora-all [bug 1856957]
---
External References:
https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ
---
Statement:
OpenShift Container Platform (OCP) components are primarily written in Go, meaning that any component using the net/h
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.htmlhttps://groups.google.com/forum/#%21topic/golang-announce/XZNfaiwgt2whttps://groups.google.com/forum/#%21topic/golang-announce/f2c5bqrGH_ghttps://lists.debian.org/debian-lts-announce/2020/11/msg00037.htmlhttps://lists.debian.org/debian-lts-announce/2020/11/msg00038.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCR6LAKCVKL55KJQPPBBWVQGOP7RL2RW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WIRVUHD7TJIT7JJ33FKHIVTHPYABYPHR/https://security.netapp.com/advisory/ntap-20200731-0005/https://www.cloudfoundry.org/blog/cve-2020-15586/https://www.debian.org/security/2021/dsa-4848https://www.oracle.com/security-alerts/cpuApr2021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.htmlhttps://groups.google.com/forum/#%21topic/golang-announce/XZNfaiwgt2whttps://groups.google.com/forum/#%21topic/golang-announce/f2c5bqrGH_ghttps://lists.debian.org/debian-lts-announce/2020/11/msg00037.htmlhttps://lists.debian.org/debian-lts-announce/2020/11/msg00038.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCR6LAKCVKL55KJQPPBBWVQGOP7RL2RW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WIRVUHD7TJIT7JJ33FKHIVTHPYABYPHR/https://security.netapp.com/advisory/ntap-20200731-0005/https://www.cloudfoundry.org/blog/cve-2020-15586/https://www.debian.org/security/2021/dsa-4848https://www.oracle.com/security-alerts/cpuApr2021.html
2020-07-17
Published