CVE-2016-5386
Improper input validation in net/http and net/http/cgi
EPSS 45.9%
Description
An input validation flaw in the CGI components allows the HTTP_PROXY environment variable to be set by the incoming Proxy header, which changes where Go by default proxies all outbound HTTP requests. This environment variable is also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program. Read more about "httpoxy" here: https://httpoxy.org.
How to fix CVE-2016-5386
To remediate CVE-2016-5386, upgrade the affected package to a fixed version below.
- Go/stdlib—upgrade to 1.6.3 or later
Is CVE-2016-5386 being exploited?
Moderate — EPSS is 45.9%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 1.6.3