The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
CPE | Name | Operator | Version |
---|---|---|---|
go | eq | weekly.2010-01-05 | |
go | eq | weekly.2010-08-11 | |
go | eq | weekly.2011-09-01 | |
go | eq | weekly.2011-06-09 | |
go | eq | weekly.2010-11-10 | |
go | eq | weekly.2011-07-07 | |
go | eq | go1.19.7 | |
go | eq | go1.19.8 | |
go | eq | weekly.2011-08-10 | |
go | eq | go1.9.2 |