reports/GO-2021-0241.yaml - vulndb - Git at Google

 module: std
 package: net/http/httputil
 versions:
   - fixed: go1.15.13
   - fixed: go1.16.5
   - fixed: go1.17.0
 description: |
     ReverseProxy can be made to forward certain hop-by-hop headers,
     including Connection. If the target of the ReverseProxy is
     itself a reverse proxy, this lets an attacker drop arbitrary
     headers, including those set by the ReverseProxy.Director.
 published: 2022-02-17T17:33:16Z
 cves:
   - CVE-2021-33197
 credit: Mattias Grenfeldt (https://grenfeldt.dev) and Asta Olofsson
 symbols:
   - ReverseProxy.ServeHTTP
 links:
     pr: https://go.dev/cl/321929
     commit: https://go.googlesource.com/go/+/950fa11c4cb01a145bb07eeb167d90a1846061b3
     context:
       - https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
       - https://go.dev/issue/46313
	module: std
	package: net/http/httputil
	versions:
	- fixed: go1.15.13
	- fixed: go1.16.5
	- fixed: go1.17.0
	description: \|
	ReverseProxy can be made to forward certain hop-by-hop headers,
	including Connection. If the target of the ReverseProxy is
	itself a reverse proxy, this lets an attacker drop arbitrary
	headers, including those set by the ReverseProxy.Director.
	published: 2022-02-17T17:33:16Z
	cves:
	- CVE-2021-33197
	credit: Mattias Grenfeldt (https://grenfeldt.dev) and Asta Olofsson
	symbols:
	- ReverseProxy.ServeHTTP
	links:
	pr: https://go.dev/cl/321929
	commit: https://go.googlesource.com/go/+/950fa11c4cb01a145bb07eeb167d90a1846061b3
	context:
	- https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
	- https://go.dev/issue/46313