An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with rn followed by an HTTP header or a Redis command.
Weakness
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Go | Golang | 1.11.5 (including) | 1.11.5 (including) |
| Red Hat Developer Tools | RedHat | go-toolset-1.11-0:1.11.5-2.el7 | * |
| Red Hat Developer Tools | RedHat | go-toolset-1.11-golang-0:1.11.5-3.el7 | * |
| Red Hat Enterprise Linux 8 | RedHat | go-toolset:rhel8-8000020190509153318.b9255456 | * |
| Golang | Ubuntu | trusty | * |
| Golang-1.10 | Ubuntu | bionic | * |
| Golang-1.10 | Ubuntu | cosmic | * |
| Golang-1.10 | Ubuntu | disco | * |
| Golang-1.10 | Ubuntu | esm-infra/bionic | * |
| Golang-1.10 | Ubuntu | trusty | * |
| Golang-1.10 | Ubuntu | trusty/esm | * |
| Golang-1.10 | Ubuntu | xenial | * |
| Golang-1.11 | Ubuntu | disco | * |
| Golang-1.11 | Ubuntu | upstream | * |
| Golang-1.6 | Ubuntu | trusty | * |
| Golang-1.6 | Ubuntu | xenial | * |
| Golang-1.7 | Ubuntu | cosmic | * |
| Golang-1.8 | Ubuntu | bionic | * |
| Golang-1.8 | Ubuntu | cosmic | * |
| Golang-1.8 | Ubuntu | esm-apps/bionic | * |
| Golang-1.9 | Ubuntu | bionic | * |
| Golang-1.9 | Ubuntu | cosmic | * |
| Golang-1.9 | Ubuntu | esm-apps/bionic | * |
Potential Mitigations
Related Attack Patterns
References
- http://www.securityfocus.com/bid/107432
- https://access.redhat.com/errata/RHSA-2019:1300
- https://access.redhat.com/errata/RHSA-2019:1519
- https://github.com/golang/go/issues/30794
- https://lists.debian.org/debian-lts-announce/2019/04/msg00007.html
- https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
- https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOOVCEPQM7TZA6VEZEEB7QZABXNHQEHH/
- http://www.securityfocus.com/bid/107432
- https://access.redhat.com/errata/RHSA-2019:1300
- https://access.redhat.com/errata/RHSA-2019:1519
- https://github.com/golang/go/issues/30794
- https://lists.debian.org/debian-lts-announce/2019/04/msg00007.html
- https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
- https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOOVCEPQM7TZA6VEZEEB7QZABXNHQEHH/