Vulnerability Report: GO-2022-0761
standard library- CVE-2016-5386
- Affects: net/http, net/http/cgi
- Published: Aug 09, 2022
- Modified: May 20, 2024
An input validation flaw in the CGI components allows the HTTP_PROXY environment variable to be set by the incoming Proxy header, which changes where Go by default proxies all outbound HTTP requests. This environment variable is also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program. Read more about "httpoxy" here: https://httpoxy.org.
Affected Packages
-
PathGo VersionsSymbols
-
before go1.6.3
-
before go1.6.3
Aliases
References
- https://go.dev/cl/25010
- https://go.googlesource.com/go/+/b97df54c31d6c4cc2a28a3c83725366d52329223
- https://go.dev/issue/16405
- https://groups.google.com/g/golang-announce/c/7jZDOQ8f8tM/m/eWRWHnc8CgAJ
- https://vuln.go.dev/ID/GO-2022-0761.json
Credits
- Dominic Scheirlinck
Feedback
See anything missing or incorrect?
Suggest an edit to this report.