The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
References
Link | Resource |
---|---|
https://go.dev/cl/506996 | Patch |
https://go.dev/issue/60374 | Issue Tracking Patch |
https://groups.google.com/g/golang-announce/c/2q13H6LEEx0 | Mailing List |
https://pkg.go.dev/vuln/GO-2023-1878 | Vendor Advisory |
https://security.gentoo.org/glsa/202311-09 | |
https://security.netapp.com/advisory/ntap-20230814-0002/ |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Go
Published: 2023-07-11T19:23:58.511Z
Updated: 2023-07-11T19:23:58.511Z
Reserved: 2023-04-05T19:36:35.043Z
Link: CVE-2023-29406
JSON object: View
NVD Information
Status : Modified
Published: 2023-07-11T20:15:10.643
Modified: 2023-11-25T11:15:14.727
Link: CVE-2023-29406
JSON object: View
Redhat Information
No data.
CWE