CVE-2021-33197
golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
Severity Score
Exploit Likelihood
Affected Versions
2Public Exploits
1Exploited in Wild
-Decision
Descriptions
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
En Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, algunas configuraciones de ReverseProxy (desde net/http/httputil) resultan en una situaciĆ³n en la que un atacante es capaz de dejar caer cabeceras arbitrarias
A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity.
New Features The release of RHACS 3.64 provides the following new features: 1. You can now use deployment and namespace annotations to define where RHACS sends the violation notifications when configuring your notifiers such as Slack, Microsoft Teams, Email, and others. 2. The Red Hat Advanced Cluster Security Operator now supports the ability to allow users to set the enforcement behavior of the admission controller as part of their custom resource. 3. RHACS now supports kernel modules for Ubuntu 16.04 LTS with extended security maintenance.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-19 CVE Reserved
- 2021-08-02 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-862: Missing Authorization
CAPEC
References (5)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/202208-02 | 2022-09-14 | |
| https://access.redhat.com/security/cve/CVE-2021-33197 | 2022-11-15 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1989570 | 2022-11-15 |