Fluid Attacks Database

Description

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 13	golang-1.24	>=0 <1.24~rc2-1	1.24~rc2-1
go	stdlib	>=0 <1.22.11	1.22.11
rpm rhel8	containernetworking-plugins	-	-
rpm rhel10	yggdrasil	<0:0.4.5-3.el10_0	0:0.4.5-3.el10_0
rpm rhel10	grafana-pcp	-	-
rpm rhel10	skopeo	-	-
rpm rhel8	skopeo	-	-
rpm rhel9	gvisor-tap-vsock	-	-

1-10 of 58

Aliases

1. CVE-2024-453362. NVD-2024-453363. OSV-DEBIAN-2024-453364. OSV-2024-453365. OSV-GO-2025-34206. GCVE-2024-453367. SECURITY-TRACKER-CVE-2024-45336

References

1. https://go.dev/cl/6431002. https://go.dev/issue/705303. https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ4. https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.