net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect [CVE-2023-45289]

Question

net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect [CVE-2023-45289]

eks-distro-pr-bot opened this issue 4 months ago · comments

EKS Distro PR Bot commented 4 months ago

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.

A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-45289.

/cc @golang/security and @golang/release

Cameron Rozean · Answer 1 · Tue Mar 12 2024 05:52:58 GMT+0800 (China Standard Time)

Fixed in 1.20: #1367