What is the severity of CVE-2023-45289?

CVE-2023-45289 is classified as a medium-severity vulnerability due to its potential for information disclosure.

How do I fix CVE-2023-45289?

To mitigate CVE-2023-45289, upgrade your Go package to version 1.21.8, 1.22.1, or 1.22.11-1 depending on your distribution.

What types of software are affected by CVE-2023-45289?

CVE-2023-45289 affects multiple Go package versions and IBM's Concert Software up to version 1.0.2.1.

What kind of attack can exploit CVE-2023-45289?

CVE-2023-45289 can be exploited by a remote attacker sending specially crafted HTTP requests to gain sensitive information.

Is there a workaround for CVE-2023-45289 if I cannot upgrade?

Currently, there is no known workaround for CVE-2023-45289, and upgrading is strongly advised.

Vulnerability/
CVE-2023-45289

medium

4.3

CWE

212

5/3/2024

21/11/2024

CVE-2023-45289: Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http

First published: Tue Mar 05 2024(Updated: )

Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw when following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive headers information, and use this information to launch further attacks against the affected system.

Credit: security@golang.org security@golang.org

Affected Software	Affected Version	How to fix
redhat/go	<1.21.8	1.21.8
redhat/go	<1.22.1	1.22.1
debian/golang-1.15	<=1.15.15-1~deb11u4
debian/golang-1.19	<=1.19.8-2
debian/golang-1.22		1.22.12-3
IBM Rational Team Concert	<=1.0.0, 1.0.1, 1.0.2, 1.0.2.1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7176346

Frequently Asked Questions

What is the severity of CVE-2023-45289?
CVE-2023-45289 is classified as a medium-severity vulnerability due to its potential for information disclosure.
How do I fix CVE-2023-45289?
To mitigate CVE-2023-45289, upgrade your Go package to version 1.21.8, 1.22.1, or 1.22.11-1 depending on your distribution.
What types of software are affected by CVE-2023-45289?
CVE-2023-45289 affects multiple Go package versions and IBM's Concert Software up to version 1.0.2.1.
What kind of attack can exploit CVE-2023-45289?
CVE-2023-45289 can be exploited by a remote attacker sending specially crafted HTTP requests to gain sensitive information.
Is there a workaround for CVE-2023-45289 if I cannot upgrade?
Currently, there is no known workaround for CVE-2023-45289, and upgrading is strongly advised.

agent/weakness
agent/title
agent/type
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
agent/author
collector/usn-cve
source/Ubuntu
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
agent/severity
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-45289
agent/software-canonical-lookup
agent/references
agent/description
collector/nvd-cve
agent/last-modified-date
agent/trending
agent/source
agent/tags
agent/event
collector/security-tracker-debian
source/Debian
agent/softwarecombine
collector/ibm-support
source/IBM
agent/software-canonical-lookup-request
package-manager/redhat
package-manager/debian
vendor/ibm
canonical/ibm rational team concert
version/ibm rational team concert/1.0.0, 1.0.1, 1.0.2, 1.0.2.1