Fluid Attacks Database

Description

Improper input validation in net/http and net/http/cgi An input validation flaw in the CGI components allows the HTTP_PROXY environment variable to be set by the incoming Proxy header, which changes where Go by default proxies all outbound HTTP requests.

This environment variable is also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program.

Read more about "httpoxy" here: https://httpoxy.org.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=0 <1.6.3	1.6.3
rpm rhel7	golang	<0:1.6.3-1.el7_2.1	0:1.6.3-1.el7_2.1

Aliases

1. CVE-2016-53862. NVD-2016-53863. OSV-GO-2022-07614. OSV-2016-53865. GCVE-2016-5386

References

1. https://go.dev/cl/250102. https://go.googlesource.com/go/+/b97df54c31d6c4cc2a28a3c83725366d523292233. https://go.dev/issue/164054. https://groups.google.com/g/golang-announce/c/7jZDOQ8f8tM/m/eWRWHnc8CgAJ

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.