Race Condition in Go's HTTP Reverse Proxy Affecting Multiple Versions
CVE-2021-36221

5.9MEDIUM

Key Information:

Vendor: Golang
Status: Go
Vendor: CVE Published:; 8 August 2021

What is CVE-2021-36221?

A race condition in the Go programming language's HTTP reverse proxy can lead to a panic when an ErrAbortHandler abort is invoked. This vulnerability impacts versions prior to 1.15.15 and 1.16.x prior to 1.16.7, potentially resulting in application instability during proxy operations.

References

https://groups.google.com/forum/#%21forum/golang-announce

https://groups.google.com/g/golang-announce/c/JvWG9FUUYT0

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 8, 2021
Vulnerability Reserved
Jul 7, 2021

Golang

What is CVE-2021-36221?

References

CVSS V3.1

Timeline