CVE-2020-15586

Published: Jul 17, 2020Modified: Nov 21, 2024

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.

Affected (10)

Products: Golang: Go · Cloudfoundry: Cf Deployment, Routing Release · Debian: Debian Linux · +2 more

Show all products

Golang: Go · Cloudfoundry: Cf Deployment, Routing Release · Debian: Debian Linux · Opensuse: Leap · Fedoraproject: Fedora

1 product

2 products

1 product

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.13.13
Golang Go	From 1.14.0 to 1.14.5

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Cloudfoundry Cf Deployment	Before 13.7.0
Cloudfoundry Routing Release	Before 0.203.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 15.1
Opensuse Leap	Version 15.2

Configuration E

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 31
Fedoraproject Fedora	Version 32

Related CWEs

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (28)

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://groups.google.com/forum/#%21topic/golang-announce/XZNfaiwgt2w

Source: cve@mitre.org

https://groups.google.com/forum/#%21topic/golang-announce/f2c5bqrGH_g

Source: cve@mitre.org

https://lists.debian.org/debian-lts-announce/2020/11/msg00037.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/11/msg00038.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCR6LAKCVKL55KJQPPBBWVQGOP7RL2RW/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WIRVUHD7TJIT7JJ33FKHIVTHPYABYPHR/

Source: cve@mitre.org

https://security.netapp.com/advisory/ntap-20200731-0005/

Source: cve@mitre.org

Third Party Advisory

https://www.cloudfoundry.org/blog/cve-2020-15586/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2021/dsa-4848

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Source: cve@mitre.org

PatchThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html