An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with rn followed by an HTTP header or a Redis command.
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Go | Golang | 1.11.5 (including) | 1.11.5 (including) |
| Red Hat Developer Tools | RedHat | go-toolset-1.11-0:1.11.5-2.el7 | * |
| Red Hat Developer Tools | RedHat | go-toolset-1.11-golang-0:1.11.5-3.el7 | * |
| Red Hat Enterprise Linux 8 | RedHat | go-toolset:rhel8-8000020190509153318.b9255456 | * |
| Golang | Ubuntu | trusty | * |
| Golang-1.10 | Ubuntu | bionic | * |
| Golang-1.10 | Ubuntu | cosmic | * |
| Golang-1.10 | Ubuntu | disco | * |
| Golang-1.10 | Ubuntu | esm-infra/bionic | * |
| Golang-1.10 | Ubuntu | trusty | * |
| Golang-1.10 | Ubuntu | trusty/esm | * |
| Golang-1.10 | Ubuntu | xenial | * |
| Golang-1.11 | Ubuntu | disco | * |
| Golang-1.11 | Ubuntu | upstream | * |
| Golang-1.6 | Ubuntu | trusty | * |
| Golang-1.6 | Ubuntu | xenial | * |
| Golang-1.7 | Ubuntu | cosmic | * |
| Golang-1.8 | Ubuntu | bionic | * |
| Golang-1.8 | Ubuntu | cosmic | * |
| Golang-1.8 | Ubuntu | esm-apps/bionic | * |
| Golang-1.9 | Ubuntu | bionic | * |
| Golang-1.9 | Ubuntu | cosmic | * |
| Golang-1.9 | Ubuntu | esm-apps/bionic | * |