GO-2022-0761

See a problem?

Source

https://pkg.go.dev/vuln/GO-2022-0761

Import Source

https://vuln.go.dev/ID/GO-2022-0761.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0761

Aliases

CVE-2016-5386

Published

2022-08-09T17:05:15Z

Modified

2024-05-20T16:03:47Z

Summary

Improper input validation in net/http and net/http/cgi

Details

An input validation flaw in the CGI components allows the HTTP_PROXY environment variable to be set by the incoming Proxy header, which changes where Go by default proxies all outbound HTTP requests.

This environment variable is also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program.

Read more about "httpoxy" here: https://httpoxy.org.

References

Credits

- Dominic Scheirlinck

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.3

Ecosystem specific

{
    "imports": [
        {
            "path": "net/http",
            "symbols": [
                "Handler.ServeHTTP"
            ]
        },
        {
            "path": "net/http/cgi",
            "symbols": [
                "ProxyFromEnvironment"
            ]
        }
    ]
}