Lucene search
HistoryJul 11, 2023 - 8:15 p.m.
CVE-2023-29406
http/1
injection
host header
security vulnerability
nvd
cve-2023-29406
CVSS3
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
7
Confidence
High
EPSS
0.001
Percentile
45.1%
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
Affected configurations
Node
golanggoRange<1.19.11
ORgolanggoRange1.20.0โ1.20.6
CNA Affected
[
{
"vendor": "Go standard library",
"product": "net/http",
"collectionURL": "https://pkg.go.dev",
"packageName": "net/http",
"versions": [
{
"version": "0",
"lessThan": "1.19.11",
"status": "affected",
"versionType": "semver"
},
{
"version": "1.20.0-0",
"lessThan": "1.20.6",
"status": "affected",
"versionType": "semver"
}
],
"programRoutines": [
{
"name": "Request.write"
},
{
"name": "Client.CloseIdleConnections"
},
{
"name": "Client.Do"
},
{
"name": "Client.Get"
},
{
"name": "Client.Head"
},
{
"name": "Client.Post"
},
{
"name": "Client.PostForm"
},
{
"name": "Get"
},
{
"name": "Head"
},
{
"name": "Post"
},
{
"name": "PostForm"
},
{
"name": "Request.Write"
},
{
"name": "Request.WriteProxy"
},
{
"name": "Transport.CancelRequest"
},
{
"name": "Transport.CloseIdleConnections"
},
{
"name": "Transport.RoundTrip"
}
],
"defaultStatus": "unaffected"
}
]Related
nessus
nessus
Amazon Linux 2023 : runc (ALAS2023-2023-311)
2023-08-24 00:00:00
Amazon Linux 2 : golist (ALAS-2023-2185)
2023-08-14 00:00:00
Amazon Linux 2 : runc (ALASECS-2023-005)
2023-09-06 00:00:00
osv
osv
CVE-2023-29406
2023-07-11 20:15:10
Moderate: container-tools:4.0 security and bug fix update
2023-11-28 22:43:02
BIT-golang-2023-29406
2024-03-06 10:55:04
redhatcve
redhatcve
CVE-2023-29406
2023-07-21 07:30:20
veracode
veracode
CRLF Injection
2023-07-17 03:51:29
amazon
amazon
Important: golang
2023-08-03 18:10:00
Important: golist
2023-08-03 18:10:00
Important: cri-tools
2023-08-03 18:10:00
cbl_mariner
cbl_mariner
CVE-2023-29406 affecting package golang for versions less than 1.20.7-1
2024-07-26 21:09:35
CVE-2023-29406 affecting package msft-golang for versions less than 1.20.7-1
2024-07-26 21:09:35
CVE-2023-29406 affecting package golang for versions less than 1.20.7-1
2024-07-26 21:09:29
prion
prion
Design/Logic Flaw
2023-07-11 20:15:00
oraclelinux
oraclelinux
container-tools:4.0 security and bug fix update
2023-11-22 00:00:00
containernetworking-plugins security and bug fix update
2023-11-11 00:00:00
skopeo security update
2023-11-11 00:00:00
ubuntucve
ubuntucve
CVE-2023-29406
2023-07-11 00:00:00
redhat
redhat
(RHSA-2023:7202) Moderate: container-tools:4.0 security and bug fix update
2023-11-14 16:23:40
(RHSA-2024:0293) Moderate: OpenShift Container Platform 4.14.10 packages and security update
2024-01-23 20:33:05
(RHSA-2023:5721) Important: go-toolset:rhel8 security update
2023-10-16 12:13:12
rocky
rocky
container-tools:4.0 security and bug fix update
2023-11-28 22:43:02
Satellite 6.14 security and bug fix update
2023-11-11 22:58:57
openvas
openvas
openSUSE: Security Advisory for go1.20 (SUSE-SU-2023:3002-1)
2024-03-04 00:00:00
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2023-3029)
2023-10-31 00:00:00
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2023-3006)
2023-10-31 00:00:00
cvelist
cvelist
CVE-2023-29406 Insufficient sanitization of Host header in net/http
2023-07-11 19:23:58
nvd
nvd
CVE-2023-29406
2023-07-11 20:15:10
alpinelinux
alpinelinux
CVE-2023-29406
2023-07-11 20:15:10
wolfi
wolfi
CVE-2023-29406 vulnerabilities
2024-07-26 21:09:29
ibm
ibm
almalinux
almalinux
Moderate: container-tools:4.0 security and bug fix update
2023-11-14 00:00:00
Moderate: containernetworking-plugins security and bug fix update
2023-11-07 00:00:00
Moderate: toolbox security and bug fix update
2023-11-07 00:00:00
cgr
cgr
CVE-2023-29406 vulnerabilities
2024-05-19 03:07:16
debiancve
debiancve
CVE-2023-29406
2023-07-11 20:15:10
photon
photon
Moderate Photon OS Security Update - PHSA-2023-5.0-0066
2023-08-05 00:00:00
Moderate Photon OS Security Update - PHSA-2023-4.0-0484
2023-10-05 00:00:00
Important Photon OS Security Update - PHSA-2023-3.0-0644
2023-09-06 00:00:00
freebsd
freebsd
go -- multiple vulnerabilities
2023-04-27 00:00:00
redos
redos
ROS-20240418-06
2024-04-18 00:00:00
gentoo
gentoo
Go: Multiple Vulnerabilities
2023-11-25 00:00:00
ics
ics
Siemens SCALANCE XCM-/XRM-300
2024-02-15 12:00:00
CVSS3
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
7
Confidence
High
EPSS
0.001
Percentile
45.1%
Related for CVE-2023-29406