CVE-2024-45336

🗓️ 28 Jan 2025 01:03:24Reported by GoType

cve🔗 web.nvd.nist.gov👁 315 Views🌐 WEB

HTTP client drops sensitive headers on cross-domain redirects, revealing security issues.

Reporter	Title	Published	Views	Family All 662
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF005 and 24.0.1-IF002.	2 May 202507:23	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite uses axios-1.7.7.tgz, Kubectl-1.22.4 and Websphere Liberty - 24.0.0.11 which is vulnerable to CVE-2025-27152, CVE-2024-47535, CVE-2024-24791, CVE-2024-45336, CVE-2024.	30 May 202513:17	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps	25 Jun 202513:52	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to loss of confidentiality	1 Sep 202511:01	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities in Go affects IBM Robotic Process Automation for Cloud Pak	9 Jun 202519:01	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images	22 May 202506:33	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a sensitive header drop in Golang/net/http [CVE-2024-45336]	13 Jun 202516:21	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities are addressed with Cloud Pak foundational services before 4.6.20 shipped with IBM Cloud Pak for Business Automation iFixes for January 2026.	17 Mar 202617:38	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Concert Software.	5 Jun 202506:12	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Concert Software.	1 Sep 202514:35	–	ibm

[
  {
    "vendor": "Go standard library",
    "product": "net/http",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "net/http",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.22.11",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.23.0-0",
        "lessThan": "1.23.5",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.24.0-0",
        "lessThan": "1.24.0-rc.2",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "Client.do"
      },
      {
        "name": "Client.makeHeadersCopier"
      },
      {
        "name": "shouldCopyHeaderOnRedirect"
      },
      {
        "name": "Client.Do"
      },
      {
        "name": "Client.Get"
      },
      {
        "name": "Client.Head"
      },
      {
        "name": "Client.Post"
      },
      {
        "name": "Client.PostForm"
      },
      {
        "name": "Get"
      },
      {
        "name": "Head"
      },
      {
        "name": "Post"
      },
      {
        "name": "PostForm"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
groups	www.groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
go	www.go.dev/issue/70530
groups	www.groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ
go	www.go.dev/cl/643100
pkg	www.pkg.go.dev/vuln/GO-2025-3420
security	www.security.netapp.com/advisory/ntap-20250221-0003/

Parameter	Position	Path	Description	CWE
Authorization	header	a.com/	Cross-domain redirect handling may drop then later resurrect sensitive Authorization header when following redirects from a.com to b.com, enabling header leakage or mismatched authentication behavior.
Authorization	header	b.com/2	Final destination in a cross-domain redirect chain may receive the Authorization header after the client previously dropped it, indicating improper normalization of headers during redirects.

15 Apr 2026 00:35Current

6.6Medium risk

Vulners AI Score6.6

CVSS 3.16.1

EPSS0.00142

SSVC