Bug 1874857 (CVE-2020-24553)
| Summary: | CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abonas, admiller, alegrand, alitke, amurdaca, anpicker, aos-bugs, aos-storage-staff, asm, bbennett, bbreard, bbrownin, bmontgom, bodavis, bthurber, cnv-qe-bugs, deparker, dwalsh, emachado, eparis, erooth, fdeutsch, fweimer, gbrown, hchiramm, hvyas, imcleod, jakub, jburrell, jcajka, jesusr, jligon, jmulligan, jokerman, jpadman, jwon, kakkoyun, kconner, krathod, ksimon, law, lcosic, lemenkov, madam, markito, miabbott, mloibl, mnewsome, mpolacek, nstielau, ohudlick, phoracek, pkrupa, puebele, rcernich, renich, rhs-bugs, rphillips, rrajasek, rtalur, sgott, shurley, sponnaga, stirabos, storage-qa-internal, surbania, tjelinek, tstellar, tsweeney, vbatts |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | go 1.15.1, go 1.14.8 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Go standard library packages before upstream versions 1.15 and 1.14.8. Both the net/http/cgi and net/http/fcgi packages use a default Content-Type response header value of "text/html", rather than "text/plain". This flaw allows an attacker to exploit this issue in applications using these packages by uploading crafted files, allowing a Cross-site Scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-12-15 22:18:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1874858, 1874859, 1875785, 1875786, 1877800, 1877801, 1877802, 1877828, 1897181 | ||
| Bug Blocks: | 1874860 | ||
|
Description
Marian Rehak
2020-09-02 12:51:40 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 1874859] Affects: fedora-all [bug 1874858] External References: https://groups.google.com/forum/#!topic/golang-announce/8wqlSbkLdPs https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may-lead-to-cross-site-scripting Upstream Patch: https://go-review.googlesource.com/c/go/+/252179/ Statement: Multiple components in Red Hat OpenShift Container Platform are built with Go and use net/http, however none include the specific vulnerable packages net/http/cgi and net/http/fcgi. Red Hat OpenShift Container Platform is not affected by this flaw. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:5493 https://access.redhat.com/errata/RHSA-2020:5493 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-24553 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2021:0145 https://access.redhat.com/errata/RHSA-2021:0145 This issue has been addressed in the following products: Openshift Serveless 1.12 Via RHSA-2021:0146 https://access.redhat.com/errata/RHSA-2021:0146 |