Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-A92DCC5C-E05C-11E9-B589-10C37B4AC2EA (CVE-2019-16276): go -- invalid headers are normalized, allowing request smuggling

Back to Search

FreeBSD: VID-A92DCC5C-E05C-11E9-B589-10C37B4AC2EA (CVE-2019-16276): go -- invalid headers are normalized, allowing request smuggling

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
09/25/2019
Created
10/01/2019
Added
09/29/2019
Modified
01/22/2020

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-A92DCC5C-E05C-11E9-B589-10C37B4AC2EA:

The Go project reports:

net/http (through net/textproto) used to accept and normalize invalid

HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.

If a Go server is used behind a reverse proxy that accepts and forwards

but doesn't normalize such invalid headers, the reverse proxy and the

server can interpret the headers differently. This can lead to filter

bypasses or request smuggling, the latter if requests from separate clients

are multiplexed onto the same connection by the proxy. Such invalid headers

are now rejected by Go servers, and passed without normalization to Go

client applications.

Solution(s)

  • freebsd-upgrade-package-go
  • freebsd-upgrade-package-go-devel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;