blob: caf62ff232df0737221436262d6bbe6a43562875 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2021-0159",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-01-05T21:39:14Z",
"aliases": [
"CVE-2015-5739",
"CVE-2015-5740",
"CVE-2015-5741"
],
"summary": "Request smuggling due to improper header parsing in net/http",
"details": "HTTP headers were not properly parsed, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/http",
"symbols": [
"CanonicalMIMEHeaderKey",
"body.readLocked",
"canonicalMIMEHeaderKey",
"chunkWriter.writeHeader",
"fixLength",
"fixTransferEncoding",
"readTransfer",
"transferWriter.shouldSendContentLength",
"validHeaderFieldByte"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/13148"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/26049f6f9171d1190f3bbe05ec304845cfe6399f"
},
{
"type": "FIX",
"url": "https://go.dev/cl/11772"
},
{
"type": "FIX",
"url": "https://go.dev/cl/11810"
},
{
"type": "FIX",
"url": "https://go.dev/cl/12865"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/117ddcb83d7f42d6aa72241240af99ded81118e9"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/300d9a21583e7cf0149a778a0611e76ff7c6680f"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/c2db5f4ccc61ba7df96a747e268a277b802cbb87"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/12027"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/11930"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/iSIyW4lM4hY/m/ADuQR4DiDwAJ"
}
],
"credits": [
{
"name": "Jed Denlea"
},
{
"name": "RĂ©gis Leroy"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0159",
"review_status": "REVIEWED"
}
}