CVE-2020-24553

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

References

https://groups.google.com/forum/#!topic/golang-announce/8wqlSbkLdPs

http://seclists.org/fulldisclosure/2020/Sep/5

http://packetstormsecurity.com/files/159049/Go-CGI-FastCGI-Transport-Cross-Site-Scripting.html

https://security.netapp.com/advisory/ntap-20200924-0003/

https://lists.fedoraproject.org/archives/list/[email protected]/message/CZBO7Q73GGWBVYIKNH2HNN44Q5IQND5W/

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00000.html

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00002.html

https://www.oracle.com/security-alerts/cpuApr2021.html

Details

Source: MITRE

Published: 2020-09-02

Updated: 2021-07-20

Type: CWE-79

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM

Tenable Plugins

View all (16 total)

IDNameProductFamilySeverity
150285Photon OS 3.0: Go PHSA-2021-3.0-0248NessusPhotonOS Local Security Checks
medium
148977Oracle NoSQL Database Multiple Vulnerabilities (Apr 2021 CPU)NessusDatabases
critical
148004Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : Go vulnerability (USN-4758-1)NessusUbuntu Local Security Checks
medium
145933CentOS 8 : go-toolset:rhel8 (CESA-2020:5493)NessusCentOS Local Security Checks
high
145182EulerOS 2.0 SP3 : golang (EulerOS-SA-2021-1073)NessusHuawei Local Security Checks
medium
144562Oracle Linux 8 : go-toolset:ol8 (ELSA-2020-5493)NessusOracle Linux Local Security Checks
high
144407RHEL 8 : go-toolset:rhel8 (RHSA-2020:5493)NessusRed Hat Local Security Checks
high
144268EulerOS 2.0 SP5 : golang (EulerOS-SA-2020-2548)NessusHuawei Local Security Checks
medium
144128EulerOS 2.0 SP8 : golang (EulerOS-SA-2020-2512)NessusHuawei Local Security Checks
medium
143750SUSE SLED15 / SLES15 Security Update : go1.14 (SUSE-SU-2020:2761-1)NessusSuSE Local Security Checks
medium
143651SUSE SLED15 / SLES15 Security Update : go1.15 (SUSE-SU-2020:2776-1)NessusSuSE Local Security Checks
medium
142981Amazon Linux AMI : golang (ALAS-2020-1445)NessusAmazon Linux Local Security Checks
medium
142723Amazon Linux 2 : golang (ALAS-2020-1554)NessusAmazon Linux Local Security Checks
medium
141162openSUSE Security Update : go1.14 (openSUSE-2020-1587)NessusSuSE Local Security Checks
medium
141160openSUSE Security Update : go1.14 (openSUSE-2020-1584)NessusSuSE Local Security Checks
medium
140135FreeBSD : go -- net/http/cgi, net/http/fcgi: XSS (XSS) when Content-Type is not specified (67b050ae-ec82-11ea-9071-10c37b4ac2ea)NessusFreeBSD Local Security Checks
medium