Public Date:
1250352: CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library
HTTP-request vulnerabilities have been found in the Golang net/http and net/textproto libraries. Request headers with double Content-Length fields do not generate a 400 error (the second field is ignored), and invalid fields are parsed as valid (for example, "Content Length:" with a space in the middle is accepted). A non-authenticated attacker could exploit these flaws to bypass security controls, perform web-cache poisoning, or alter the request/response map (denial of service).

Find out more about CVE-2015-5739 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 6.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (golang) RHSA-2016:1538 2016-08-02

Affected Packages State

Platform Package State
Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7 golang Will not fix
Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7 golang Will not fix
Last Modified