Bug 2222167 (CVE-2023-29406) - CVE-2023-29406 golang: net/http: insufficient sanitization of Host header
Summary: CVE-2023-29406 golang: net/http: insufficient sanitization of Host header
Keywords:
Status: NEW
Alias: CVE-2023-29406
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2222291 2222293 2222294 2222295 2222296 2222297 2222298 2222299 2222301 2222302 2222303 2222304 2222305 2222306 2222307 2222308 2222310 2222312 2222313 2222314 2222315 2222316 2222317 2222318 2222319 2222320 2222321 2222322 2222323 2222324 2222325 2222326 2222327 2222328 2222329 2222330 2222331 2222332 2222333 2222334 2222335 2222336 2222337 2222338 2222339 2222340 2222341 2222342 2222343 2224490 2224491 2236647 2236831
Blocks: 2222178
TreeView+ depends on / blocked
 
Reported: 2023-07-12 06:04 UTC by Avinash Hanwate
Modified: 2024-04-04 12:22 UTC (History)
145 users (show)

Fixed In Version: golang 1.19.11, golang 1.20.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang, where it is vulnerable to HTTP header injection caused by improper content validation of the Host header by the HTTP/1 client. A remote attacker can inject arbitrary HTTP headers by persuading a victim to visit a specially crafted Web page. This flaw allows the attacker to conduct various attacks against the vulnerable system, including Cross-site scripting, cache poisoning, or session hijacking.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:6806 0 None None None 2023-11-08 10:40:22 UTC
Red Hat Product Errata RHBA-2023:6807 0 None None None 2023-11-08 10:40:41 UTC
Red Hat Product Errata RHSA-2023:5530 0 None None None 2023-10-20 05:04:55 UTC
Red Hat Product Errata RHSA-2023:5541 0 None None None 2023-10-20 04:12:07 UTC
Red Hat Product Errata RHSA-2023:5933 0 None None None 2023-10-26 01:04:51 UTC
Red Hat Product Errata RHSA-2023:5935 0 None None None 2023-10-19 16:50:30 UTC
Red Hat Product Errata RHSA-2023:5947 0 None None None 2023-10-26 00:47:58 UTC
Red Hat Product Errata RHSA-2023:5965 0 None None None 2023-10-20 14:57:27 UTC
Red Hat Product Errata RHSA-2023:5974 0 None None None 2023-10-20 16:50:09 UTC
Red Hat Product Errata RHSA-2023:5976 0 None None None 2023-10-20 17:18:44 UTC
Red Hat Product Errata RHSA-2023:6031 0 None None None 2023-10-23 14:24:48 UTC
Red Hat Product Errata RHSA-2023:6085 0 None None None 2023-10-24 15:32:45 UTC
Red Hat Product Errata RHSA-2023:6115 0 None None None 2023-10-25 14:02:09 UTC
Red Hat Product Errata RHSA-2023:6161 0 None None None 2023-10-30 02:16:26 UTC
Red Hat Product Errata RHSA-2023:6296 0 None None None 2023-11-02 19:16:14 UTC
Red Hat Product Errata RHSA-2023:6298 0 None None None 2023-11-03 08:45:50 UTC
Red Hat Product Errata RHSA-2023:6346 0 None None None 2023-11-07 08:13:48 UTC
Red Hat Product Errata RHSA-2023:6363 0 None None None 2023-11-07 08:14:24 UTC
Red Hat Product Errata RHSA-2023:6402 0 None None None 2023-11-07 08:16:11 UTC
Red Hat Product Errata RHSA-2023:6473 0 None None None 2023-11-07 08:17:23 UTC
Red Hat Product Errata RHSA-2023:6474 0 None None None 2023-11-07 08:18:00 UTC
Red Hat Product Errata RHSA-2023:6818 0 None None None 2023-11-08 14:17:33 UTC
Red Hat Product Errata RHSA-2023:6840 0 None None None 2023-11-15 04:38:12 UTC
Red Hat Product Errata RHSA-2023:6938 0 None None None 2023-11-14 15:16:56 UTC
Red Hat Product Errata RHSA-2023:6939 0 None None None 2023-11-14 15:17:42 UTC
Red Hat Product Errata RHSA-2023:7202 0 None None None 2023-11-14 16:55:23 UTC
Red Hat Product Errata RHSA-2024:0293 0 None None None 2024-01-23 21:32:39 UTC
Red Hat Product Errata RHSA-2024:1027 0 None None None 2024-02-28 18:14:27 UTC
Red Hat Product Errata RHSA-2024:1570 0 None None None 2024-03-28 20:50:19 UTC

Description Avinash Hanwate 2023-07-12 06:04:15 UTC 
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
https://go.dev/cl/506996
https://pkg.go.dev/vuln/GO-2023-1878
https://go.dev/issue/60374
Comment 4 Avinash Hanwate 2023-07-21 06:33:30 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2224490]
Affects: fedora-all [bug 2224491]
Comment 6 Debarshi Ray 2023-08-24 13:10:09 UTC 
I see that there are toolbox bugs for RHEL 8 (bug 2222320 and bug 2222325), but not for RHEL 9.  Is that intentional?  There's no real difference between the Toolbx code we ship across RHEL 8 and 9.

We have been missing RHEL 9 CVE bugs for toolbox in recent times.  So I wonder if a bug has crept into some script.
Comment 12 errata-xmlrpc 2023-10-19 16:50:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5935 https://access.redhat.com/errata/RHSA-2023:5935
Comment 13 errata-xmlrpc 2023-10-20 04:12:00 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:5541 https://access.redhat.com/errata/RHSA-2023:5541
Comment 14 errata-xmlrpc 2023-10-20 05:04:48 UTC 
This issue has been addressed in the following products:

  RHOL-5.7-RHEL-8

Via RHSA-2023:5530 https://access.redhat.com/errata/RHSA-2023:5530
Comment 17 errata-xmlrpc 2023-10-20 14:57:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5965 https://access.redhat.com/errata/RHSA-2023:5965
Comment 18 errata-xmlrpc 2023-10-20 16:50:00 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.4.0-RHEL-9

Via RHSA-2023:5974 https://access.redhat.com/errata/RHSA-2023:5974
Comment 19 errata-xmlrpc 2023-10-20 17:18:35 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:5976 https://access.redhat.com/errata/RHSA-2023:5976
Comment 20 errata-xmlrpc 2023-10-23 14:24:39 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:6031 https://access.redhat.com/errata/RHSA-2023:6031
Comment 21 errata-xmlrpc 2023-10-24 15:32:38 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.9

Via RHSA-2023:6085 https://access.redhat.com/errata/RHSA-2023:6085
Comment 22 errata-xmlrpc 2023-10-25 14:02:01 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:6115 https://access.redhat.com/errata/RHSA-2023:6115
Comment 23 errata-xmlrpc 2023-10-26 00:47:49 UTC 
This issue has been addressed in the following products:

  RODOO-1.0-RHEL-8

Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947
Comment 24 errata-xmlrpc 2023-10-26 01:04:44 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:5933 https://access.redhat.com/errata/RHSA-2023:5933
Comment 25 errata-xmlrpc 2023-10-30 02:16:19 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:6161 https://access.redhat.com/errata/RHSA-2023:6161
Comment 26 errata-xmlrpc 2023-11-02 19:16:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Serverless 1.30

Via RHSA-2023:6296 https://access.redhat.com/errata/RHSA-2023:6296
Comment 27 errata-xmlrpc 2023-11-03 08:45:41 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:6298 https://access.redhat.com/errata/RHSA-2023:6298
Comment 28 errata-xmlrpc 2023-11-07 08:13:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346
Comment 29 errata-xmlrpc 2023-11-07 08:14:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6363 https://access.redhat.com/errata/RHSA-2023:6363
Comment 30 errata-xmlrpc 2023-11-07 08:16:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6402 https://access.redhat.com/errata/RHSA-2023:6402
Comment 31 errata-xmlrpc 2023-11-07 08:17:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473
Comment 32 errata-xmlrpc 2023-11-07 08:17:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474
Comment 33 errata-xmlrpc 2023-11-08 14:17:25 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818
Comment 34 errata-xmlrpc 2023-11-14 15:16:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938
Comment 35 errata-xmlrpc 2023-11-14 15:17:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939
Comment 36 errata-xmlrpc 2023-11-14 16:55:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7202 https://access.redhat.com/errata/RHSA-2023:7202
Comment 37 errata-xmlrpc 2023-11-15 04:38:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:6840 https://access.redhat.com/errata/RHSA-2023:6840
Comment 39 errata-xmlrpc 2024-01-23 21:32:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0293 https://access.redhat.com/errata/RHSA-2024:0293
Comment 40 errata-xmlrpc 2024-02-28 18:14:19 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2024:1027 https://access.redhat.com/errata/RHSA-2024:1027
Comment 46 errata-xmlrpc 2024-03-28 20:50:09 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2024:1570 https://access.redhat.com/errata/RHSA-2024:1570
Note You need to log in before you can comment on or make changes to this bug.