CVE-2023-45289

Name
CVE-2023-45289
Description
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security@golang.org https://go.dev/cl/569340
security@golang.org https://go.dev/issue/65065
security@golang.org https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
security@golang.org https://pkg.go.dev/vuln/GO-2024-2600
security@golang.org https://security.netapp.com/advisory/ntap-20240329-0006/
security@golang.org http://www.openwall.com/lists/oss-security/2024/03/08/4

Match rules

CPE URI Source package Min version Max version
net/http >= 0 < 1.21.8
net/http >= 1.22.0-0 < 1.22.1
net/http/cookiejar >= 0 < 1.21.8
net/http/cookiejar >= 1.22.0-0 < 1.22.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
go edge-community 1.22.1-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed
go 3.22-community 1.22.1-r0 None fixed
go 3.21-community 1.22.1-r0 None fixed
go 3.20-community 1.22.1-r0 None fixed
go 3.19-community 1.21.8-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed