In Go versions prior to 1.15.1 and 1.14.8 if the Content-Type header of a Handler was not explicitly set the net/http/cgi and net/http/fcgi packages would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response.
Created golang tracking bugs for this issue:
Affects: epel-all [bug 1874859]
Affects: fedora-all [bug 1874858]
Multiple components in Red Hat OpenShift Container Platform are built with Go and use net/http, however none include the specific vulnerable packages net/http/cgi and net/http/fcgi. Red Hat OpenShift Container Platform is not affected by this flaw.