CVE-2015-5741: 
Docker vulnerability analysis and mitigation

CVE-2015-5741 is a security vulnerability discovered in the net/http library of Go programming language versions before 1.4.3. The vulnerability relates to improper parsing of HTTP headers, specifically in the net/http/transfer.go component. The issue was identified in July 2015 and allows remote attackers to conduct HTTP request smuggling attacks via requests containing both Content-Length and Transfer-Encoding header fields (OSS Security, NVD).

The vulnerability stems from the net/http library's failure to properly handle HTTP headers according to RFC 7230 specifications. The issue specifically involves the improper handling of requests that contain both Content-Length and Transfer-Encoding header fields. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature (NVD).

The vulnerability can be exploited in situations where the net/http agent's HTTP communication with final HTTP clients uses reverse proxies (including reverse proxy cache or SSL terminators). Attackers could potentially bypass security controls, perform web-cache poisoning, or alter the request/response mapping on previous elements, potentially leading to denial of service conditions (OSS Security).

The vulnerability was fixed in Go version 1.4.3 and Go 1.5. The fix includes proper validation of HTTP headers and implementation of RFC 7230 requirements regarding Content-Length and Transfer-Encoding headers. Users are advised to upgrade to these or later versions. Additionally, all Go programs using the net/http package that were compiled with version 1.4.2 or earlier need to be recompiled with version 1.4.3 or later due to Go's static linking nature (GitHub Commit, Red Hat Bugzilla).