CVE-2024-45336

Summary

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.

Affected Software

VendorProductVersion RangeStatus
Go standard librarynet/http0 < 1.22.11affected
Go standard librarynet/http1.23.0-0 < 1.23.5affected
Go standard librarynet/http1.24.0-0 < 1.24.0-rc.2affected

Weaknesses

  • CWE-201: Insertion of Sensitive Information Into Sent Data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References