CVE-2023-45289
Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.
Al seguir una redirección HTTP a un dominio que no es una coincidencia de subdominio o una coincidencia exacta del dominio inicial, un cliente http.no reenvía encabezados confidenciales como "Autorización" o "Cookie". Por ejemplo, una redirección de foo.com a www.foo.com reenviará el encabezado de Autorización, pero una redirección a bar.com no. Una redirección HTTP creada con fines malintencionados podría provocar que se reenvíen inesperadamente encabezados confidenciales.
A flaw was found in Go's net/http/cookiejar standard library package. When following an HTTP redirect to a domain that is not a subdomain match or an exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.
It was discovered that the Go net/http module did not properly handle the requests when request\'s headers exceed MaxHeaderBytes. An attacker could possibly use this issue to cause a panic resulting into a denial of service. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that the Go net/http module did not properly validate the subdomain match or exact match of the initial domain. An attacker could possibly use this issue to read sensitive information. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-10-06 CVE Reserved
- 2024-03-05 CVE Published
- 2025-02-13 CVE Updated
- 2025-04-01 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (8)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-45289 | 2024-11-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2268018 | 2024-11-13 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Go Standard Library Search vendor "Go Standard Library" | Net/http Search vendor "Go Standard Library" for product "Net/http" | < 1.21.8 Search vendor "Go Standard Library" for product "Net/http" and version " < 1.21.8" | en |
Affected
| ||||||
| Go Standard Library Search vendor "Go Standard Library" | Net/http Search vendor "Go Standard Library" for product "Net/http" | >= 1.22.0-0 < 1.22.1 Search vendor "Go Standard Library" for product "Net/http" and version " >= 1.22.0-0 < 1.22.1" | en |
Affected
| ||||||
| Go Standard Library Search vendor "Go Standard Library" | Net/http/cookiejar Search vendor "Go Standard Library" for product "Net/http/cookiejar" | < 1.21.8 Search vendor "Go Standard Library" for product "Net/http/cookiejar" and version " < 1.21.8" | en |
Affected
| ||||||
| Go Standard Library Search vendor "Go Standard Library" | Net/http/cookiejar Search vendor "Go Standard Library" for product "Net/http/cookiejar" | >= 1.22.0-0 < 1.22.1 Search vendor "Go Standard Library" for product "Net/http/cookiejar" and version " >= 1.22.0-0 < 1.22.1" | en |
Affected
| ||||||