vulnerability

Oracle Linux: CVE-2024-45336: ELSA-2025-3772: go-toolset:ol8 security update (MODERATE) (Multiple Advisories)

Try Surface Command
Back to search
Severity
7
CVSS
(AV:N/AC:M/Au:N/C:C/I:N/A:N)
Published
Jan 17, 2025
Added
Apr 11, 2025
Modified
Jul 17, 2025

Description

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
A flaw was found in the net/http package of the Golang standard library. The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to `a.com/` containing an Authorization header redirected to `b.com/` will not send that header to `b.com`. However, the sensitive headers would be restored if the client received a subsequent same-domain redirect. For example, a chain of redirects from `a.com/`, to `b.com/1`, and finally to `b.com/2` would incorrectly send the Authorization header to `b.com/2`.

Solutions

oracle-linux-upgrade-delveoracle-linux-upgrade-golangoracle-linux-upgrade-golang-binoracle-linux-upgrade-golang-docsoracle-linux-upgrade-golang-miscoracle-linux-upgrade-golang-srcoracle-linux-upgrade-golang-testsoracle-linux-upgrade-go-toolsetoracle-linux-upgrade-yggdrasiloracle-linux-upgrade-yggdrasil-devel

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today