Bug ID 1176031
Summary (CVE-2020-24553) VUL-0: CVE-2020-24553: go net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter jkowalczyk@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Go 1.15.1 and Go 1.14.8 address a recently reported security issue:

When a Handler does not explicitly set the Content-Type header, the
net/http/cgi and net/http/fcgi packages would default to ���text/html���, which
could cause a Cross-Site Scripting vulnerability if an attacker can control any
part of the contents of a response.

The Content-Type header is now set based on the contents of the first Write
using http.DetectContentType, which is consistent with the behavior of the
net/http package.

Although this protects some applications that validate the contents of uploaded
files, not setting the Content-Type header explicitly on any
attacker-controlled file is unsafe and should be avoided.

This issue is CVE-2020-24553 and Go issue
https://github.com/golang/go/issues/40928

You are receiving this mail because: