CVE-2023-29406 — Interpretation Conflict in Standard Library NET Http

CWE-436 — Interpretation Conflict CWE-113 — HTTP Request/Response Splitting10 documents8 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 42.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library NET Http Golang GO

Timeline

PublishedJul 11

Latest updateNov 14

Description

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5go_standard_library/net_http1.20.0-0 — 1.20.6+1

▶NVDgolang/go1.20.0 — 1.20.6+1

Patches

Patch: go.dev ↗Patch: go.dev ↗Patch: go.dev ↗

🔴Vulnerability Details

GHSA

GHSA-f8f7-69v5-w4vx: The HTTP/1 client does not fully validate the contents of the Host header↗2023-07-11

▶

CVEList

Insufficient sanitization of Host header in net/http↗2023-07-11

▶

OSV

CVE-2023-29406: The HTTP/1 client does not fully validate the contents of the Host header↗2023-07-11

▶

OSV

Insufficient sanitization of Host header in net/http↗2023-07-11

▶

📋Vendor Advisories

Ubuntu

Go vulnerabilities↗2024-11-14

▶

Ubuntu

Go vulnerabilities↗2024-10-10

▶

Microsoft

Insufficient sanitization of Host header in net/http↗2023-07-11

▶

Red Hat

golang: net/http: insufficient sanitization of Host header↗2023-07-11

▶

Debian

CVE-2023-29406: golang-1.15 - The HTTP/1 client does not fully validate the contents of the Host header. A mal...↗2023

▶