6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
39.1%
The HTTP/1 client does not fully validate the contents of the Host header.
A maliciously crafted Host header can inject additional headers or entire
requests. With fix, the HTTP/1 client now refuses to send requests
containing an invalid Request.Host or Request.URL.Host value.
Author | Note |
---|---|
mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | golang-1.10 | <ย any | UNKNOWN |
ubuntu | 14.04 | noarch | golang-1.10 | <ย any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.10 | <ย any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.13 | <ย any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.13 | <ย any | UNKNOWN |
ubuntu | 22.04 | noarch | golang-1.13 | <ย any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.13 | <ย any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.14 | <ย any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.16 | <ย any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.16 | <ย any | UNKNOWN |
github.com/golang/go/commit/312920c00aac9897b2a0693e752390b5b0711a5a (go1.20.6)
github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b (go1.19.11)
github.com/golang/go/issues/60374
go.dev/cl/506996
go.dev/issue/60374
groups.google.com/g/golang-announce/c/2q13H6LEEx0
launchpad.net/bugs/cve/CVE-2023-29406
nvd.nist.gov/vuln/detail/CVE-2023-29406
pkg.go.dev/vuln/GO-2023-1878
security-tracker.debian.org/tracker/CVE-2023-29406
www.cve.org/CVERecord?id=CVE-2023-29406