|Description||Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
The information below is based on the following data on fixed versions.
- golang-1.11 <not-affected> (Introduced in 1.15)
Introduced by https://github.com/golang/go/commit/d5734d4f2dd1168dc3df94f2b9912299aea0c0ac (go1.15beta1)