2341751 – (CVE-2024-45336) CVE-2024-45336 golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect

Bug 2341751 (CVE-2024-45336) - CVE-2024-45336 golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect [NEEDINFO]

Summary: CVE-2024-45336 golang: net/http: net/http: sensitive headers incorrectly sent...

Keywords:
Status:	MODIFIED
Alias:	CVE-2024-45336
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2341932 2341933 2341934 2341935 2350678
Blocks:
TreeView+	depends on / blocked

Reported:	2025-01-23 13:09 UTC by OSIDB Bzimport
Modified:	2025-05-15 23:13 UTC (History)
CC List:	157 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
Flags:	tsweeney: needinfo? (rgatica)

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2025:3823	None	None	None	2025-04-10 19:46:16 UTC
Red Hat Product Errata	RHSA-2025:3131	None	None	None	2025-03-26 17:39:41 UTC
Red Hat Product Errata	RHSA-2025:3335	None	None	None	2025-03-27 14:57:04 UTC
Red Hat Product Errata	RHSA-2025:3593	None	None	None	2025-04-03 13:35:16 UTC
Red Hat Product Errata	RHSA-2025:3772	None	None	None	2025-04-10 00:22:38 UTC
Red Hat Product Errata	RHSA-2025:3922	None	None	None	2025-04-15 17:24:47 UTC
Red Hat Product Errata	RHSA-2025:4810	None	None	None	2025-05-12 15:06:18 UTC
Red Hat Product Errata	RHSA-2025:7326	None	None	None	2025-05-13 10:36:49 UTC
Red Hat Product Errata	RHSA-2025:7466	None	None	None	2025-05-13 15:56:38 UTC
Red Hat Product Errata	RHSA-2025:7624	None	None	None	2025-05-14 17:49:02 UTC

Description OSIDB Bzimport 2025-01-23 13:09:25 UTC

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.

In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.

Comment 3 Debarshi Ray 2025-01-28 16:48:33 UTC

After a little bit of Git archaeology, I found that this was fixed in Go 1.22.11 with:
https://github.com/golang/go/commit/b72d56f98d6620eb

... and in Go 1.23.5 with:
https://github.com/golang/go/commit/bb8230f805359456

Comment 6 errata-xmlrpc 2025-03-26 17:39:32 UTC

This issue has been addressed in the following products:

  RHOL-6.1-RHEL-9

Via RHSA-2025:3131 https://access.redhat.com/errata/RHSA-2025:3131

Comment 7 errata-xmlrpc 2025-03-27 14:56:55 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3335 https://access.redhat.com/errata/RHSA-2025:3335

Comment 8 errata-xmlrpc 2025-04-03 13:35:08 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:3593 https://access.redhat.com/errata/RHSA-2025:3593

Comment 9 errata-xmlrpc 2025-04-10 00:22:28 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:3772 https://access.redhat.com/errata/RHSA-2025:3772

Comment 10 errata-xmlrpc 2025-04-15 17:24:36 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.5 for RHEL 8

Via RHSA-2025:3922 https://access.redhat.com/errata/RHSA-2025:3922

Comment 15 errata-xmlrpc 2025-05-12 15:06:05 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9

Via RHSA-2025:4810 https://access.redhat.com/errata/RHSA-2025:4810

Comment 16 errata-xmlrpc 2025-05-13 10:36:36 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7326 https://access.redhat.com/errata/RHSA-2025:7326

Comment 17 errata-xmlrpc 2025-05-13 15:56:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7466 https://access.redhat.com/errata/RHSA-2025:7466

Comment 18 errata-xmlrpc 2025-05-14 17:48:50 UTC

This issue has been addressed in the following products:

  Satellite Client 6 for RHEL 8
  Satellite Client 6 for RHEL 9
  Satellite Client 6 for RHEL 10

Via RHSA-2025:7624 https://access.redhat.com/errata/RHSA-2025:7624

Note You need to log in before you can comment on or make changes to this bug.

aazores
abrianik
adistefa
akostadi
alcohan
amasferr
amctagga
anjoseph
anpicker
ansmith
anthomas
aoconnor
apjagtap
asatyam
bdettelb
bkabrda
bniver
brking
cbartlet
chazlett
ckandaga
cmah
crizzo
danken
davidn
david.sastre
debarshir
dhanak
diagrawa
dmayorov
doconnor
dsimansk
dymurray
eaguilar
ebaron
eglynn
ehelms
fdeutsch
flucifre
ggainey
ggrzybek
gkamathe
gmeno
gparvin
haoli
hasun
hkataria
ibolton
jaharrin
jajackso
jburrell
jcammara
jcantril
jeder
jforrest
jfula
jjoyce
jkoehler
jlledo
jmatthew
jmitchel
jmontleo
jneedle
jolong
jowilson
jprabhak
jschluet
juwatts
jwendell
kegrant
kingland
koliveir
kshier
kverlaen
lball
lchilton
lgamliel
lhh
lphiri
lsvaty
mabashia
manissin
matzew
mbenjamin
mbocek
mburns
mgarciac
mhackett
mhulan
mkudlej
mmagr
mmakovy
mnovotny
mrunge
mwringe
ngough
njean
nmoumoul
nobody
nyancey
ometelka
oramraz
osousa
owatkins
pahickey
parichar
pbraun
pcreech
peholase
pgaikwad
pgrist
pierdipi
pjindal
ptisnovs
pvasanth
rcernich
rchan
rfreiman
rgatica
rguimara
rhaigner
rhos-maint
rhuss
rjohnson
rojacob
sabiswas
sakbas
saroy
sausingh
sdawley
sfeifer
sfroberg
shvarugh
simaishi
slucidi
smallamp
smcdonal
smullick
sostapov
sseago
stcannon
stirabos
syedriko
tasato
teagle
tfister
thason
thavo
tjochec
tsweeney
vereddy
veshanka
vimartin
whayutin
wtam
xdharmai
yguenane