CVE-2023-45289

Name
CVE-2023-45289
Description
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security@golang.org https://go.dev/cl/569340
security@golang.org https://go.dev/issue/65065
security@golang.org https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
security@golang.org https://pkg.go.dev/vuln/GO-2024-2600
security@golang.org https://security.netapp.com/advisory/ntap-20240329-0006/
security@golang.org http://www.openwall.com/lists/oss-security/2024/03/08/4

Match rules

CPE URI Source package Min version Max version
net/http >= 0 < 1.21.8
net/http >= 1.22.0-0 < 1.22.1
net/http/cookiejar >= 0 < 1.21.8
net/http/cookiejar >= 1.22.0-0 < 1.22.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status