CVE-2021-33197 — Missing Authorization in GO

CWE-862 — Missing Authorization CWE-20 — Improper Input Validation9 documents8 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 88.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Paloalto Pan-os

Timeline

PublishedAug 2

Latest updateNov 1

Description

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDgolang/go1.16.0 — 1.16.5+1

▶Palo Altopaloalto/pan-os

Patches

Patch: groups.google.com ↗Patch: groups.google.com ↗

🔴Vulnerability Details

GHSA

GHSA-wqr7-cf9q-rvf7: Go before 1↗2022-05-24

▶

OSV

Attacker can drop certain headers in net/http/httputil↗2022-02-17

▶

OSV

CVE-2021-33197: In Go before 1↗2021-08-02

▶

CVEList

CVE-2021-33197: In Go before 1↗2021-08-02

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-11-01

▶

Microsoft

In Go before 1.15.13 and 1.16.x before 1.16.5 some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.↗2021-08-10

▶

Red Hat

golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty↗2021-05-21

▶

Debian

CVE-2021-33197: golang-1.15 - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReversePro...↗2021

▶