2222167 – (CVE-2023-29406) CVE-2023-29406 golang: net/http: insufficient sanitization of Host header

Bug 2222167 (CVE-2023-29406) - CVE-2023-29406 golang: net/http: insufficient sanitization of Host header

Summary: CVE-2023-29406 golang: net/http: insufficient sanitization of Host header

Keywords:
Status:	NEW
Alias:	CVE-2023-29406
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2222293 2222294 2222295 2222297 2222298 2222301 2222303 2222305 2222306 2222307 2222308 2222309 2222310 2222312 2222313 2222314 2222315 2222316 2222317 2222318 2222319 2222320 2222321 2222322 2222323 2222324 2222325 2222329 2222330 2222331 2222332 2222333 2222337 2222338 2222339 2222340 2222341 2222342 2222343 2224490 2224491 2222291 2222296 2222299 2222302 2222304 2222326 2222327 2222328 2222334 2222335 2222336
Blocks:	2222178
TreeView+	depends on / blocked

Reported:	2023-07-12 06:04 UTC by Avinash Hanwate
Modified:	2023-08-03 19:08 UTC (History)
CC List:	145 users (show)
Fixed In Version:	golang 1.19.11, golang 1.20.6
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Golang, where it is vulnerable to HTTP header injection caused by improper content validation of the Host header by the HTTP/1 client. A remote attacker can inject arbitrary HTTP headers by persuading a victim to visit a specially crafted Web page. This flaw allows the attacker to conduct various attacks against the vulnerable system, including Cross-site scripting, cache poisoning, or session hijacking.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-07-12 06:04:15 UTC

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
https://go.dev/cl/506996
https://pkg.go.dev/vuln/GO-2023-1878
https://go.dev/issue/60374

Comment 4 Avinash Hanwate 2023-07-21 06:33:30 UTC

Created golang tracking bugs for this issue:

Affects: epel-all [bug 2224490]
Affects: fedora-all [bug 2224491]

Note You need to log in before you can comment on or make changes to this bug.

aazores
abenaiss
abishop
adudiak
aileenc
amasferr
amctagga
ansmith
aoconnor
asm
aveerama
bbaude
bbuckingham
bcl
bcourt
bniver
bodavis
chazlett
davidn
dbenoit
dcadzow
debarshir
desktop-qa-list
dfreiber
dhellmann
dhughes
dkenigsb
dperaza
dsimansk
dwalsh
dymurray
eaguilar
ebaron
eglynn
ehelms
ellin
emachado
epacific
eric.wittmann
fdeutsch
flucifre
gmeno
gparvin
grafana-maint
ibolton
jaharrin
janstey
jburrell
jcammara
jcantril
jchui
jeder
jhardy
jjoyce
jkang
jkoehler
jkurik
jligon
jmatthew
jmontleo
jneedle
jnovy
jobarker
jpallich
jsherril
jwendell
kshier
lball
lhh
lmadsen
lsm5
lzap
mabashia
matzew
mbenjamin
mboddu
mburns
mcressma
mgarciac
mhackett
mheon
mhulan
mkudlej
mmagr
mnewsome
mrunge
mwringe
myarboro
nathans
nbecker
nboldt
njean
nmoumoul
nobody
opohorel
orabin
oramraz
osapryki
osbuilders
owatkins
pahickey
pantinor
pcreech
peholase
pehunt
periklis
pgrist
pjindal
pthomas
rcernich
rchan
rgarg
rhcos-sst
rhos-maint
rhuss
rjohnson
rogbas
saroy
scorneli
scox
sfroberg
sgott
shbose
simaishi
sipoyare
skontopo
slucidi
smcdonal
smullick
sostapov
sseago
stcannon
teagle
tfister
tjochec
tstellar
tsweeney
twalsh
ubhargav
umohnani
vereddy
vkumar
whayutin
yguenane
zsadeh