CVE-2020-15586

Summary

CVE	CVE-2020-15586
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-07-17 16:15:00 UTC
Updated	2023-11-07 03:17:00 UTC
Description	Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.

Risk And Classification

Problem Types: CWE-362

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Cloudfoundry	Cf-deployment	All	All	All	All
Application	Cloudfoundry	Cf-deployment	All	All	All	All
Application	Cloudfoundry	Routing-release	All	All	All	All
Application	Cloudfoundry	Routing-release	All	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Fedoraproject	Fedora	31	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Operating System	Fedoraproject	Fedora	31	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Application	Golang	Go	All	All	All	All
Application	Golang	Go	All	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Operating System	Opensuse	Leap	15.2	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Operating System	Opensuse	Leap	15.2	All	All	All

References

Reference	Source	Link	Tags
July 2020 Golang Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com	Third Party Advisory
Debian -- Security Information -- DSA-4848-1 golang-1.11	DEBIAN	www.debian.org	Third Party Advisory
Google Groups		groups.google.com
Google Groups	MISC	groups.google.com	Third Party Advisory
CVE-2020-15586: Gorouter is vulnerable to DoS Attack via Expect: 100-continue requests \| Cloud Foundry	CONFIRM	www.cloudfoundry.org	Third Party Advisory
[SECURITY] Fedora 31 Update: golang-1.13.14-1.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Mailing List, Third Party Advisory
[security-announce] openSUSE-SU-2020:1405-1: important: Security update	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
[security-announce] openSUSE-SU-2020:1095-1: important: Security update	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
[SECURITY] [DLA 2460-1] golang-1.8 security update	MLIST	lists.debian.org	Mailing List, Third Party Advisory
[SECURITY] Fedora 32 Update: golang-1.14.6-1.fc32 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Google Groups	CONFIRM	groups.google.com	Third Party Advisory
Google Groups		groups.google.com
[SECURITY] Fedora 31 Update: golang-1.13.14-1.fc31 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] [DLA 2459-1] golang-1.7 security update	MLIST	lists.debian.org	Mailing List, Third Party Advisory
[SECURITY] Fedora 32 Update: golang-1.14.6-1.fc32 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Mailing List, Third Party Advisory
[security-announce] openSUSE-SU-2020:1407-1: important: Security update	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
[security-announce] openSUSE-SU-2020:1087-1: important: Security update	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
Oracle Critical Patch Update Advisory - April 2021	MISC	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

239198 Red Hat Update for OpenShift Container Platform 4.6.23 (RHSA-2021:0956)
239200 Red Hat Update for OpenShift Container Platform 4.5.34 packages and (RHSA-2021:0713)
239226 Red Hat Update for OpenShift Container Platform 4.5.37 (RHSA-2021:1016)
239272 Red Hat Update for OpenShift Container Platform 4.7.9 packages and (RHSA-2021:1366)
239381 Red Hat Update for OpenShift Container Platform 4.7.13 packages and (RHSA-2021:2122)
377556 Alibaba Cloud Linux Security Update for go-toolset:rhel8 (ALINUX3-SA-2021:0069)
500975 Alpine Linux Security Update for go
501566 Alpine Linux Security Update for go
770039 Red Hat OpenShift Container Platform 4.6.1 Package Security Update (RHSA-2020:4297)
770040 Red Hat OpenShift Container Platform 4.5.20 Packages and Security Update (RHSA-2020:5119)
770052 Red Hat OpenShift Container Platform 4.5.34 Packages and Security Update (RHSA-2021:0713)
770053 Red Hat OpenShift Container Platform 4.6.23 Security Update (RHSA-2021:0956)
770056 Red Hat OpenShift Container Platform 4.5.37 Security Update (RHSA-2021:1016)
770058 Red Hat OpenShift Container Platform 4.7.9 Packages and Security Update (RHSA-2021:1366)
770063 Red Hat OpenShift Container Platform 4.7.13 Packages and Security Update (RHSA-2021:2122)
770076 Red Hat OpenShift Container Platform 4.6 Security Update (RHSA-2021:0172)
770091 Red Hat OpenShift Container Platform 4.7 Security Update (RHSA-2021-1366)
770093 Red Hat OpenShift Container Platform 4.5 Security Update (RHSA-2021-0713)
770096 Red Hat OpenShift Container Platform 4.7 Security Update (RHSA-2021-2122)
770113 Red Hat OpenShift Container Platform 4.5 Security Update (RHSA-2021-1016)
770116 Red Hat OpenShift Container Platform 4.6 Security Update (RHSA-2021-0172)
770118 Red Hat OpenShift Container Platform 4.6 Security Update (RHSA-2021-0956)
900261 CBL-Mariner Linux Security Update for golang 1.13.11
903461 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (1875)
907781 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (1875-1)