vulnerability

FreeBSD: VID-A92DCC5C-E05C-11E9-B589-10C37B4AC2EA (CVE-2019-16276): go -- invalid headers are normalized, allowing request smuggling

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Sep 25, 2019
Added
Sep 29, 2019
Modified
Jan 22, 2020

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.


From VID-A92DCC5C-E05C-11E9-B589-10C37B4AC2EA:




The Go project reports:



net/http (through net/textproto) used to accept and normalize invalid


HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.


If a Go server is used behind a reverse proxy that accepts and forwards


but doesn't normalize such invalid headers, the reverse proxy and the


server can interpret the headers differently. This can lead to filter


bypasses or request smuggling, the latter if requests from separate clients


are multiplexed onto the same connection by the proxy. Such invalid headers


are now rejected by Go servers, and passed without normalization to Go


client applications.




Solution(s)

freebsd-upgrade-package-gofreebsd-upgrade-package-go-devel
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.