blob: 477a288e69e8db54f22b2c7ea7d08fd6e7768dcb [file] [log] [blame]
id: GO-2022-0761
modules:
- module: std
versions:
- fixed: 1.6.3
vulnerable_at: 1.6.2
packages:
- package: net/http
symbols:
- Handler.ServeHTTP
- package: net/http/cgi
symbols:
- ProxyFromEnvironment
summary: Improper input validation in net/http and net/http/cgi
description: |-
An input validation flaw in the CGI components allows the HTTP_PROXY environment
variable to be set by the incoming Proxy header, which changes where Go by
default proxies all outbound HTTP requests.
This environment variable is also used to set the outgoing proxy, enabling an
attacker to insert a proxy into outgoing requests of a CGI program.
Read more about "httpoxy" here: https://httpoxy.org.
published: 2022-08-09T17:05:15Z
cves:
- CVE-2016-5386
credits:
- Dominic Scheirlinck
references:
- fix: https://go.dev/cl/25010
- fix: https://go.googlesource.com/go/+/b97df54c31d6c4cc2a28a3c83725366d52329223
- report: https://go.dev/issue/16405
- web: https://groups.google.com/g/golang-announce/c/7jZDOQ8f8tM/m/eWRWHnc8CgAJ
review_status: REVIEWED