Vulnerability Details CVE-2015-5740
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.06
EPSS Ranking 90.3%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168029.html
- http://rhn.redhat.com/errata/RHSA-2016-1538.html
- http://seclists.org/oss-sec/2015/q3/237
- http://seclists.org/oss-sec/2015/q3/292
- http://seclists.org/oss-sec/2015/q3/294
- https://bugzilla.redhat.com/show_bug.cgi?id=1250352
- https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168029.html
- http://rhn.redhat.com/errata/RHSA-2016-1538.html
- http://seclists.org/oss-sec/2015/q3/237
- http://seclists.org/oss-sec/2015/q3/292
- http://seclists.org/oss-sec/2015/q3/294
- https://bugzilla.redhat.com/show_bug.cgi?id=1250352
- https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f
Products affected by CVE-2015-5740
-
cpe:2.3:a:golang:go:-
-
cpe:2.3:a:golang:go:0.0.0-20201203163018-be400aefbc4c
-
cpe:2.3:a:golang:go:1.0
-
cpe:2.3:a:golang:go:1.0.1
-
cpe:2.3:a:golang:go:1.0.2
-
cpe:2.3:a:golang:go:1.0.3
-
cpe:2.3:a:golang:go:1.1
-
cpe:2.3:a:golang:go:1.1.1
-
cpe:2.3:a:golang:go:1.1.2
-
cpe:2.3:a:golang:go:1.2
-
cpe:2.3:a:golang:go:1.2.1
-
cpe:2.3:a:golang:go:1.2.2
-
cpe:2.3:a:golang:go:1.3
-
cpe:2.3:a:golang:go:1.3.1
-
cpe:2.3:a:golang:go:1.3.2
-
cpe:2.3:a:golang:go:1.3.3
-
cpe:2.3:a:golang:go:1.4
-
cpe:2.3:a:golang:go:1.4.1
-
cpe:2.3:a:golang:go:1.4.2
-
cpe:2.3:o:fedoraproject:fedora:21
-
cpe:2.3:o:fedoraproject:fedora:22
-
cpe:2.3:o:redhat:enterprise_linux_server:7.0
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6
-
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2
-
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3
-
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4
-
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5
-
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6
-
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2
-
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3
-
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6