reports/GO-2021-0241.yaml - vulndb - Git at Google

 packages:
   - module: std
     package: net/http/httputil
     symbols:
       - ReverseProxy.ServeHTTP
     versions:
       - fixed: go1.15.13
       - introduced: go1.16.0
         fixed: go1.16.5
 description: |
     ReverseProxy can be made to forward certain hop-by-hop headers,
     including Connection. If the target of the ReverseProxy is
     itself a reverse proxy, this lets an attacker drop arbitrary
     headers, including those set by the ReverseProxy.Director.
 published: 2022-02-17T17:33:16Z
 cves:
   - CVE-2021-33197
 credit: Mattias Grenfeldt (https://grenfeldt.dev) and Asta Olofsson
 links:
     pr: https://go.dev/cl/321929
     commit: https://go.googlesource.com/go/+/950fa11c4cb01a145bb07eeb167d90a1846061b3
     context:
       - https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
       - https://go.dev/issue/46313
	packages:
	- module: std
	package: net/http/httputil
	symbols:
	- ReverseProxy.ServeHTTP
	versions:
	- fixed: go1.15.13
	- introduced: go1.16.0
	fixed: go1.16.5
	description: \|
	ReverseProxy can be made to forward certain hop-by-hop headers,
	including Connection. If the target of the ReverseProxy is
	itself a reverse proxy, this lets an attacker drop arbitrary
	headers, including those set by the ReverseProxy.Director.
	published: 2022-02-17T17:33:16Z
	cves:
	- CVE-2021-33197
	credit: Mattias Grenfeldt (https://grenfeldt.dev) and Asta Olofsson
	links:
	pr: https://go.dev/cl/321929
	commit: https://go.googlesource.com/go/+/950fa11c4cb01a145bb07eeb167d90a1846061b3
	context:
	- https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
	- https://go.dev/issue/46313