CVE-2020-15586

golang: data race in certain net/http servers including ReverseProxy can lead to DoS

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.

Go versiones anteriores a 1.13.13 y versiones 1.14.x anteriores a 1.14.5, presenta una carrera de datos en algunos servidores net/http, como es demostrado por el Manejador httputil.ReverseProxy, porque lee un cuerpo de petición y escribe una respuesta al mismo tiempo

A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-07-07 CVE Reserved
2020-07-17 CVE Published
2024-06-23 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (16)

URL	Tag	Source
https://groups.google.com/forum/#%21topic/golang-announce/XZNfaiwgt2w	X_refsource_confirm
https://groups.google.com/forum/#%21topic/golang-announce/f2c5bqrGH_g	X_refsource_misc
https://lists.debian.org/debian-lts-announce/2020/11/msg00037.html	Mailing List
https://lists.debian.org/debian-lts-announce/2020/11/msg00038.html	Mailing List
https://security.netapp.com/advisory/ntap-20200731-0005	Third Party Advisory
https://www.cloudfoundry.org/blog/cve-2020-15586	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuApr2021.html	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCR6LAKCVKL55KJQPPBBWVQGOP7RL2RW	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WIRVUHD7TJIT7JJ33FKHIVTHPYABYPHR	2023-11-07
https://www.debian.org/security/2021/dsa-4848	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-15586	2021-11-02
https://bugzilla.redhat.com/show_bug.cgi?id=1856953	2021-11-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				< 1.13.13 Search vendor "Golang" for product "Go" and version " < 1.13.13"		-		Affected
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				>= 1.14.0 < 1.14.5 Search vendor "Golang" for product "Go" and version " >= 1.14.0 < 1.14.5"		-		Affected
Cloudfoundry Search vendor "Cloudfoundry"		Cf-deployment Search vendor "Cloudfoundry" for product "Cf-deployment"				< 13.7.0 Search vendor "Cloudfoundry" for product "Cf-deployment" and version " < 13.7.0"		-		Affected
Cloudfoundry Search vendor "Cloudfoundry"		Routing-release Search vendor "Cloudfoundry" for product "Routing-release"				< 0.203.0 Search vendor "Cloudfoundry" for product "Routing-release" and version " < 0.203.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.2 Search vendor "Opensuse" for product "Leap" and version "15.2"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected