Sensitive headers not forwarded in HTTP redirect
CVE-2023-45289

4.3MEDIUM

Key Information:

Vendor: Go Standard Library
Status: Net/http; Net/http/cookiejar
Vendor: CVE Published:; 5 March 2024

What is CVE-2023-45289?

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

Affected Version(s)

net/http 0 < 1.21.8

net/http 1.22.0-0 < 1.22.1

net/http/cookiejar 0 < 1.21.8

References

https://go.dev/issue/65065

https://go.dev/cl/569340

https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 5, 2024
Vulnerability Reserved
Oct 6, 2023

Credit

Juho Nurminen of Mattermost