Usage of vulnerable CGI package

• Rule ID: go_gosec_blocklist_cgi
• Languages: go
• Source: cgi.yml

Description

The net/http/cgi package in Go versions before 1.6.3 is vulnerable to the Httpoxy attack. This vulnerability, identified as CVE-2016-5386, occurs because of how CGI and FastCGI protocols manage certain environment variables. Attackers can exploit this to intercept and redirect outgoing HTTP requests from the web application.

Remediations

• Do update your Go version to 1.6.3 or later to mitigate this vulnerability.
• Do opt for alternative packages, like the standard net/http library, for handling HTTP requests that do not use the CGI protocol.
• Do not use the net/http/cgi package if your Go version is older than 1.6.3, as it is vulnerable to the Httpoxy attack.

  import "net/http/cgi"

• Do ensure that environment variables like HTTP_PROXY are not unintentionally exposed, as this can be leveraged for Httpoxy attacks.

References

• Httpoxy.org

Associated CWE

• CWE-1395: Dependency on Vulnerable Third-Party Component

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_blocklist_cgi

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_blocklist_cgi