#VU78327 Improper Neutralization of HTTP Headers for Scripting Syntax in Go programming language - CVE-2023-29406


Vulnerability identifier: #VU78327

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-29406

CWE-ID: CWE-644

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper input validation in HTTP/1 client when handling HTTP Host header. A remote non-authenticated attacker can send a specially crafted HTTP request with a maliciously crafted Host header and inject additional headers or entire requests.

Successful exploitation of the vulnerability may allow an attacker to perform cross-site scripting, cache poisoning or session hijacking attacks.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.19 - 1.19.10, 1.20 - 1.20.5

External links
https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
https://go.dev/cl/506996
https://pkg.go.dev/vuln/GO-2023-1878
https://go.dev/issue/60374

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for container-tools:an8 module
openEuler 20.03 LTS SP4 update for etcd
Amazon Linux AMI update for amazon-ssm-agent
Amazon Linux AMI update for amazon-ecr-credential-helper
Amazon Linux AMI update for oci-add-hooks
Amazon Linux AMI update for docker
Amazon Linux AMI update for cni-plugins
Amazon Linux AMI update for runc
Amazon Linux AMI update for containerd
Amazon Linux AMI update for nerdctl