When following an HTTP redirect to a domain which is not a subdomain match
or exact match of the initial domain, an http.Client does not forward
sensitive headers such as “Authorization” or “Cookie”. For example, a
redirect from foo.com to www.foo.com will forward the Authorization header,
but a redirect to bar.com will not. A maliciously crafted HTTP redirect
could cause sensitive headers to be unexpectedly forwarded.
Author | Note |
---|---|
mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. Warning: do not include nullboot in the list of no-change rebuilds after fixing an issue in golang. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.13 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.13 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | golang-1.13 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.13 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.14 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.16 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.16 | < any | UNKNOWN |
github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1 (go1.21.8)
github.com/golang/go/commit/3a855208e3efed2e9d7c20ad023f1fa78afcc0be (go1.22.1)
github.com/golang/go/issues/65065
go.dev/cl/569340
go.dev/issue/65065
groups.google.com/g/golang-announce/c/5pwGVUPoMbg
launchpad.net/bugs/cve/CVE-2023-45289
nvd.nist.gov/vuln/detail/CVE-2023-45289
pkg.go.dev/vuln/GO-2024-2600
security-tracker.debian.org/tracker/CVE-2023-45289
ubuntu.com/security/notices/USN-6886-1
www.cve.org/CVERecord?id=CVE-2023-45289