CVE Tools
Sign in

CVE-2023-45289

Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http

Published: Mar 5, 2024Updated: Nov 21, 2024 Sources: CVE List NVD BDU
NVD MITRE
4.3CVSSMEDIUM
EPSS Score
1.1%
Top 39.5%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

CVSS Vector Breakdown

AV:NAC:LPR:LUI:NS:UC:LI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Affected Products

net/httpGo standard library
LibraryLibrary
OSS Libraries / generic-library
net/http/cookiejarGo standard library
Library
OSS Libraries / go
Debian GNU/LinuxСообщество свободного программного обеспечения
On-premOS
Operating Systems / linux-distro
РЕД ОСООО «Ред Софт»
On-premOS
Operating Systems / linux-distro
GoThe Go ProjectOSS Libraries
go standard libraryoss-projectUSOSS Librariesaka golang standard library, net/http, crypto/x509, html/template
сообщество свободного программного обеспеченияoss-projectOperating Systemsaka сообщество свободного программного обеспечения, fsf
ооо «ред софт»commercialRUOperating Systemsaka red soft
the go projectoss-projectOSS Librariesaka go, golang-google-protobuf, crypto

Exploitability

Official Patch Available

References

http://www.openwall.com/lists/oss-security/2024/03/08/4
openwall.com
https://go.dev/cl/569340
go.dev
https://go.dev/issue/65065
go.dev
and 10 more references View all →

Timeline

Published
Mar 5, 2024
Last Updated
Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2023-45289 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows