CVE-2023-45289

Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

Al seguir una redirección HTTP a un dominio que no es una coincidencia de subdominio o una coincidencia exacta del dominio inicial, un cliente http.no reenvía encabezados confidenciales como "Autorización" o "Cookie". Por ejemplo, una redirección de foo.com a www.foo.com reenviará el encabezado de Autorización, pero una redirección a bar.com no. Una redirección HTTP creada con fines malintencionados podría provocar que se reenvíen inesperadamente encabezados confidenciales.

A flaw was found in Go's net/http/cookiejar standard library package. When following an HTTP redirect to a domain that is not a subdomain match or an exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

This update for go1.21-openssl fixes the following issues. Fixed denial of service due to improper 100-continue handling. Fixed mishandling of corrupt central directory record in archive/zip. Fixed unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip. Fixed arbitrary code execution during build on darwin in cmd/go. Fixed denial of service due to close connections when receiving too many headers in net/http and x/net/http2. Fixed incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http and net/http/cookiejar. Fixed memory exhaustion in Request.ParseMultipartForm in net/http. Fixed denial of service on certificates with an unknown public key algorithm in crypto/x509. Fixed comments in display names are incorrectly handled in net/mail. Fixed errors returned from MarshalJSON methods may break template escaping in html/template.

*Credits: Juho Nurminen of Mattermost

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-06 CVE Reserved
2024-03-05 CVE Published
2025-02-13 CVE Updated
2025-06-03 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (8)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/03/08/4
https://go.dev/cl/569340
https://go.dev/issue/65065
https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
https://pkg.go.dev/vuln/GO-2024-2600
https://security.netapp.com/advisory/ntap-20240329-0006

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-45289	2024-11-13
https://bugzilla.redhat.com/show_bug.cgi?id=2268018	2024-11-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Go Standard Library Search vendor "Go Standard Library"		Net/http Search vendor "Go Standard Library" for product "Net/http"				< 1.21.8 Search vendor "Go Standard Library" for product "Net/http" and version " < 1.21.8"		en		Affected
Go Standard Library Search vendor "Go Standard Library"		Net/http Search vendor "Go Standard Library" for product "Net/http"				>= 1.22.0-0 < 1.22.1 Search vendor "Go Standard Library" for product "Net/http" and version " >= 1.22.0-0 < 1.22.1"		en		Affected
Go Standard Library Search vendor "Go Standard Library"		Net/http/cookiejar Search vendor "Go Standard Library" for product "Net/http/cookiejar"				< 1.21.8 Search vendor "Go Standard Library" for product "Net/http/cookiejar" and version " < 1.21.8"		en		Affected
Go Standard Library Search vendor "Go Standard Library"		Net/http/cookiejar Search vendor "Go Standard Library" for product "Net/http/cookiejar"				>= 1.22.0-0 < 1.22.1 Search vendor "Go Standard Library" for product "Net/http/cookiejar" and version " >= 1.22.0-0 < 1.22.1"		en		Affected