// For flags

CVE-2023-45289

Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http

Severity Score

4.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

Al seguir una redirección HTTP a un dominio que no es una coincidencia de subdominio o una coincidencia exacta del dominio inicial, un cliente http.no reenvía encabezados confidenciales como "Autorización" o "Cookie". Por ejemplo, una redirección de foo.com a www.foo.com reenviará el encabezado de Autorización, pero una redirección a bar.com no. Una redirección HTTP creada con fines malintencionados podría provocar que se reenvíen inesperadamente encabezados confidenciales.

A flaw was found in Go's net/http/cookiejar standard library package. When following an HTTP redirect to a domain that is not a subdomain match or an exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

*Credits: Juho Nurminen of Mattermost
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-10-06 CVE Reserved
  • 2024-03-05 CVE Published
  • 2024-05-02 EPSS Updated
  • 2024-11-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Go Standard Library
Search vendor "Go Standard Library"
 Net/http
Search vendor "Go Standard Library" for product "Net/http"
 < 1.21.8
Search vendor "Go Standard Library" for product "Net/http" and version " < 1.21.8"
en
Affected
Go Standard Library
Search vendor "Go Standard Library"
 Net/http
Search vendor "Go Standard Library" for product "Net/http"
 >= 1.22.0-0 < 1.22.1
Search vendor "Go Standard Library" for product "Net/http" and version " >= 1.22.0-0 < 1.22.1"
en
Affected
Go Standard Library
Search vendor "Go Standard Library"
 Net/http/cookiejar
Search vendor "Go Standard Library" for product "Net/http/cookiejar"
 < 1.21.8
Search vendor "Go Standard Library" for product "Net/http/cookiejar" and version " < 1.21.8"
en
Affected
Go Standard Library
Search vendor "Go Standard Library"
 Net/http/cookiejar
Search vendor "Go Standard Library" for product "Net/http/cookiejar"
 >= 1.22.0-0 < 1.22.1
Search vendor "Go Standard Library" for product "Net/http/cookiejar" and version " >= 1.22.0-0 < 1.22.1"
en
Affected