CVE-2023-45289

Name of the Vulnerable Software and Affected Versions golang versions (affected versions not specified) http.Client (affected versions not specified)

Description The issue is related to how an http.Client handles HTTP redirects. When an HTTP redirect is made to a domain that is not a subdomain match or exact match of the initial domain, sensitive headers such as Authorization or Cookie are not forwarded. However, a maliciously crafted HTTP redirect could cause these sensitive headers to be unexpectedly forwarded. For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.

Recommendations For golang, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For http.Client, consider restricting the forwarding of sensitive headers to only trusted domains to minimize the risk of exploitation. As a temporary workaround, consider disabling the automatic forwarding of sensitive headers until a patch is available.