Launchpad.net

CVE 2023-45289

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

Related bugs and status

CVE-2023-45289 (Candidate) is related to these bugs:

Bug #2056309: Sync golang-1.21 1.21.8-1 (main) from Debian unstable (main)

Summary				In	Importance	Status
	2056309	Sync golang-1.21 1.21.8-1 (main) from Debian unstable (main)		golang-1.21 (Ubuntu)	Wishlist	Fix Released

Bug #2056310: Sync golang-1.22 1.22.1-1 (main) from Debian unstable (main)

Summary				In	Importance	Status
	2056310	Sync golang-1.22 1.22.1-1 (main) from Debian unstable (main)		golang-1.22 (Ubuntu)	Wishlist	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2023-45289

Related bugs and status

Related bugs

References