CVE-2020-24553

CVE-2020-24553

Name

CVE-2020-24553

Description

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Mailing List	https://groups.google.com/forum/#!topic/golang-announce/8wqlSbkLdPs
Exploit	http://seclists.org/fulldisclosure/2020/Sep/5
Exploit	http://packetstormsecurity.com/files/159049/Go-CGI-FastCGI-Transport-Cross-Site-Scripting.html
CONFIRM	https://security.netapp.com/advisory/ntap-20200924-0003/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CZBO7Q73GGWBVYIKNH2HNN44Q5IQND5W/
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00000.html
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00002.html
MISC	https://www.oracle.com/security-alerts/cpuApr2021.html
Patch	https://www.oracle.com//security-alerts/cpujul2021.html
Exploit	https://www.redteam-pentesting.de/advisories/rt-sa-2020-004

Type

URI

Mailing List

https://groups.google.com/forum/#!topic/golang-announce/8wqlSbkLdPs

Exploit

http://seclists.org/fulldisclosure/2020/Sep/5

Exploit

http://packetstormsecurity.com/files/159049/Go-CGI-FastCGI-Transport-Cross-Site-Scripting.html

CONFIRM

https://security.netapp.com/advisory/ntap-20200924-0003/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CZBO7Q73GGWBVYIKNH2HNN44Q5IQND5W/

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00000.html

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00002.html

MISC

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch

https://www.oracle.com//security-alerts/cpujul2021.html

Exploit

https://www.redteam-pentesting.de/advisories/rt-sa-2020-004

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:golang:go::::::::`	go	>= None	< 1.14.8
`cpe:2.3:a:golang:go::::::::`	go	>= 1.15.0	< 1.15.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

>= None

< 1.14.8

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

>= 1.15.0

< 1.15.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
go	edge-community	1.15.2-r0	None	fixed
go	edge-community	1.14.5-r0	None	possibly vulnerable
go	edge-community	1.13.7-r0	None	possibly vulnerable
go	edge-community	1.13.2-r0	None	possibly vulnerable
go	edge-community	1.13.1-r0	None	possibly vulnerable
go	edge-community	1.12.8-r0	None	possibly vulnerable
go	edge-community	1.11.5-r0	None	possibly vulnerable
go	edge-community	1.9.4-r0	None	possibly vulnerable
go	3.22-community	1.15.2-r0	None	fixed
go	3.22-community	1.14.5-r0	None	possibly vulnerable
go	3.22-community	1.13.7-r0	None	possibly vulnerable
go	3.22-community	1.13.2-r0	None	possibly vulnerable
go	3.22-community	1.13.1-r0	None	possibly vulnerable
go	3.22-community	1.12.8-r0	None	possibly vulnerable
go	3.22-community	1.11.5-r0	None	possibly vulnerable
go	3.22-community	1.9.4-r0	None	possibly vulnerable
go	3.21-community	1.15.2-r0	None	fixed
go	3.20-community	1.15.2-r0	None	fixed
go	3.19-community	1.15.2-r0	None	fixed
go	3.18-community	1.15.2-r0	None	fixed
go	3.17-community	1.15.2-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

edge-community

1.15.2-r0

None

fixed

edge-community

1.14.5-r0

None