CVE-2021-33197
published 2021-08-02CVE-2021-33197: In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
2.28%
81.0th percentile
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.15 1.15.9-5 (bullseye) | golang-1.15 1.15.9-5 (bullseye) |
| golang | go | < 1.15.13 | 1.15.13 |
| golang | go | >= 1.16.0 < 1.16.5 | 1.16.5 |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-2_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-11-01·CVSS 9.8
CVE-2017-12424 [CRITICAL] PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-12424, CVE-2021-3114, CVE-2021-31525, CVE-2021-33195, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-36221, CVE-2021-4034, CVE-2021-44716, CVE-2021-44717, CVE-2022-1664, CVE-2022-1705, CVE-2022-23772, CVE-2022-24675, CVE-2022-24921, CVE-2022-28327, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30631, CVE-2022-30632, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41717, CVE-2022-41724, CVE-2022-41725, CVE-2023-24534, CVE-2023-24536, CVE-2023-24539, CVE-2023-29406, CVE-2023-29409, CVE-2023-39
Microsoft
In Go before 1.15.13 and 1.16.x before 1.16.5 some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
vendor_msrc·2021-08-10·CVSS 5.3
CVE-2021-33197 [MEDIUM] CWE-862 In Go before 1.15.13 and 1.16.x before 1.16.5 some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
In Go before 1.15.13 and 1.16.x before 1.16.5 some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect thi
Red Hat
golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
vendor_redhat·2021-05-21·CVSS 5.3
CVE-2021-33197 [MEDIUM] CWE-20 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity.
Statement: * Since OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.
* For Red Hat OpenStack Platform, because the flaw has a lower impact and the fix wo
Debian
CVE-2021-33197: golang-1.15 - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReversePro...
vendor_debian·2021·CVSS 5.3
CVE-2021-33197 [MEDIUM] CVE-2021-33197: golang-1.15 - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReversePro...
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
Scope: local
bullseye: resolved (fixed in 1.15.9-5)
GHSA
GHSA-wqr7-cf9q-rvf7: Go before 1
ghsa_unreviewed·2022-05-24
CVE-2021-33197 [MEDIUM] CWE-862 GHSA-wqr7-cf9q-rvf7: Go before 1
Go before 1.15.12 and 1.16.x before 1.16.5 acts as an Unintended Proxy or Intermediary.
OSV
Attacker can drop certain headers in net/http/httputil
osv·2022-02-17
CVE-2021-33197 Attacker can drop certain headers in net/http/httputil
Attacker can drop certain headers in net/http/httputil
ReverseProxy can be made to forward certain hop-by-hop headers, including Connection. If the target of the ReverseProxy is itself a reverse proxy, this lets an attacker drop arbitrary headers, including those set by the ReverseProxy.Director.
OSV
CVE-2021-33197: In Go before 1
osv·2021-08-02·CVSS 5.3
CVE-2021-33197 [MEDIUM] CVE-2021-33197: In Go before 1
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-08-02
Published