blob: 1b247c12226427896b01e29f3cf765131529bd1e [file] [log] [blame]
id: GO-2023-1878
modules:
- module: std
versions:
- fixed: 1.19.11
- introduced: 1.20.0-0
- fixed: 1.20.6
vulnerable_at: 1.20.5
packages:
- package: net/http
symbols:
- Request.write
derived_symbols:
- Client.CloseIdleConnections
- Client.Do
- Client.Get
- Client.Head
- Client.Post
- Client.PostForm
- Get
- Head
- Post
- PostForm
- Request.Write
- Request.WriteProxy
- Transport.CancelRequest
- Transport.CloseIdleConnections
- Transport.RoundTrip
summary: Insufficient sanitization of Host header in net/http
description: |-
The HTTP/1 client does not fully validate the contents of the Host header. A
maliciously crafted Host header can inject additional headers or entire
requests.
With fix, the HTTP/1 client now refuses to send requests containing an invalid
Request.Host or Request.URL.Host value.
credits:
- Bartek Nowotarski
references:
- report: https://go.dev/issue/60374
- fix: https://go.dev/cl/506996
- web: https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
cve_metadata:
id: CVE-2023-29406
cwe: 'CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (''HTTP Request/Response Splitting'')'
references:
- https://security.netapp.com/advisory/ntap-20230814-0002/
- https://security.gentoo.org/glsa/202311-09
review_status: REVIEWED