Vulnerability Name: CVE-2015-5739 (CCN-133655) Assigned: 2015-07-29 Published: 2015-07-29 Updated: 2019-05-10 Summary: The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length." CVSS v3 Severity: 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H )8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N )5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): None
6.8 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
Vulnerability Type: CWE-444 Vulnerability Consequences: Gain Access References: Source: MITRE Type: CNACVE-2015-5739 Source: FEDORA Type: Third Party AdvisoryFEDORA-2015-15619 Source: FEDORA Type: Third Party AdvisoryFEDORA-2015-15618 Source: REDHAT Type: Third Party AdvisoryRHSA-2016:1538 Source: CCN Type: oss-sec Mailing List, Wed, 29 Jul 2015 15:15:45 +0000CVE Request - Go net/http library - HTTP smuggling Source: MLIST Type: Mailing List, Third Party Advisory[oss-security] 20150729 CVE Request - Go net/http library - HTTP smuggling Source: MLIST Type: Mailing List, Third Party Advisory[oss-security] 20150804 CVE Request - Go net/http library - HTTP smuggling Source: MLIST Type: Mailing List, Third Party Advisory[oss-security] 20150805 Re: CVE Request - Go net/http library - HTTP smuggling Source: BID Type: Third Party Advisory, VDB Entry76281 Source: CONFIRM Type: Issue Tracking, Patch, Third Party Advisoryhttps://bugzilla.redhat.com/show_bug.cgi?id=1250352 Source: XF Type: UNKNOWNgo-cve20155739-reqeust-smuggling(133655) Source: CONFIRM Type: Issue Tracking, Patch, Third Party Advisoryhttps://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9 Source: CCN Type: Go Web siteGo Vulnerable Configuration: Configuration 1 :cpe:/a:golang:go:*:*:*:*:*:*:*:* (Version <= 1.4.2)Configuration 2 :cpe:/o:fedoraproject:fedora:21:*:*:*:*:*:*:* OR cpe:/o:fedoraproject:fedora:22:*:*:*:*:*:*:* Configuration 3 :cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:* Configuration RedHat 1 :cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:* Configuration RedHat 2 :cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:* Denotes that component is vulnerable Oval Definitions BACK
golang go *
fedoraproject fedora 21
fedoraproject fedora 22
redhat enterprise linux server 7.0
redhat enterprise linux server aus 7.2
redhat enterprise linux server aus 7.3
redhat enterprise linux server aus 7.4
redhat enterprise linux server aus 7.6
redhat enterprise linux server eus 7.2
redhat enterprise linux server eus 7.3
redhat enterprise linux server eus 7.4
redhat enterprise linux server eus 7.5
redhat enterprise linux server eus 7.6
redhat enterprise linux server tus 7.2
redhat enterprise linux server tus 7.3
redhat enterprise linux server tus 7.6