Security [Medium] CVE-2024-45336 #1659

upbound-bot · 2025-02-03T08:33:04Z

Vulnerability Details

ID: CVE-2024-45336
Severity: Medium
Affected Provider Version: ['v1.17.2', 'v1.14.2', 'v1.16.2', 'v1.20.0', 'v1.15.2', 'v1.12.0', 'v1.19.0', 'v1.11.0', 'v1.13.3', 'v1.18.3']
Package: stdlib
Package Version: go1.23.3
Type: go-module
Description: The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
Fix State: fixed
Fix Versions: 1.22.11, 1.23.5, 1.24.0-rc2
Artifact Paths: /usr/local/bin/provider
More Info: https://go.dev/cl/643100, https://go.dev/issue/70530, https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ, https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ, https://pkg.go.dev/vuln/GO-2025-3420

This vulnerability was detected during the periodic CVE scan.

sergenyalcin added the vulnerability label Feb 5, 2025