CVE-2023-29406
N/A
N/A
Summary
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Go standard library | net/http | 0 < 1.19.11 | affected |
| Go standard library | net/http | 1.20.0-0 < 1.20.6 | affected |
Weaknesses
- CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
ADP Enrichment
CVE Program Container
Additional References
- https://go.dev/issue/60374
- https://go.dev/cl/506996
- https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
- https://pkg.go.dev/vuln/GO-2023-1878
- https://security.netapp.com/advisory/ntap-20230814-0002/
- https://security.gentoo.org/glsa/202311-09
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://go.dev/issue/60374
- https://go.dev/cl/506996
- https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
- https://pkg.go.dev/vuln/GO-2023-1878
- https://security.netapp.com/advisory/ntap-20230814-0002/
- https://security.gentoo.org/glsa/202311-09
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.