GO-2021-0143

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2021-0143

Import Source

https://vuln.go.dev/ID/GO-2021-0143.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2021-0143

Withdrawn

2024-05-15T05:37:11.077795Z

Published

2022-02-17T18:15:47Z

Modified

2022-05-13T18:33:00Z

Summary

[none]

Details

When a Handler does not explicitly set the Content-Type header, the net/http/cgi and net/http/fcgi packages default to "text/html", which can cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response.

References

Affected packages

Go / net/http/cgi

Package

Name: net/http/cgi; View open source insights on deps.dev
Purl: pkg:golang/net/http/cgi

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.14.8

Introduced

1.15.0

Fixed

1.15.1

Ecosystem specific

{
    "symbols": [
        "response.Write"
    ]
}

Database specific

url

"https://pkg.go.dev/vuln/GO-2021-0143"

source

"https://vuln.go.dev/ID/GO-2021-0143.json"

Go / net/http/fcgi

Package

Name: net/http/fcgi; View open source insights on deps.dev
Purl: pkg:golang/net/http/fcgi

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.14.8

Introduced

1.15.0

Fixed

1.15.1

Ecosystem specific

{
    "symbols": [
        "response.Write"
    ]
}

Database specific

url

"https://pkg.go.dev/vuln/GO-2021-0143"

source

"https://vuln.go.dev/ID/GO-2021-0143.json"