CVE-2020-24553
golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
Go versiones anteriores a 1.14.8 y versiones 1.15.x anteriores a 1.15.1, permite un ataque de tipo XSS porque text/html es el predeterminado para los manejadores de CGI/FCGI que carecen de un encabezado Content-Type
A flaw was found in the Go standard library packages before upstream versions 1.15 and 1.14.8. Both the net/http/cgi and net/http/fcgi packages use a default Content-Type response header value of "text/html", rather than "text/plain". This flaw allows an attacker to exploit this issue in applications using these packages by uploading crafted files, allowing a Cross-site Scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.
The CGI and FastCGI implementations in the Go standard library behave differently from the HTTP server implementation when serving content. In contrast to the documented behavior, they may return non-HTML data as HTML. This may lead to cross site scripting vulnerabilities even if uploaded data has been validated during upload. Versions 1.15 and 1.14.7 and below are affected.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-08-20 CVE Reserved
- 2020-09-02 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-08-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| https://groups.google.com/forum/#%21topic/golang-announce/8wqlSbkLdPs | X_refsource_misc | |
| https://security.netapp.com/advisory/ntap-20200924-0003 | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com//security-alerts/cpujul2021.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.14.8 Search vendor "Golang" for product "Go" and version " < 1.14.8" | - |
Affected
| ||||||
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.15.0 < 1.15.1 Search vendor "Golang" for product "Go" and version " >= 1.15.0 < 1.15.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.2 Search vendor "Opensuse" for product "Leap" and version "15.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy" | 1.5.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.5.0" | - |
Affected
| ||||||