Vulnerability Details : CVE-2024-45336
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
Products affected by CVE-2024-45336
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2024-45336
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 9 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2024-45336
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-01-28 |
References for CVE-2024-45336
-
https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
[security] Go 1.24 Release Candidate 2 is released
-
https://go.dev/issue/70530
-
https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ
[security] Go 1.23.5 and Go 1.22.11 are released
-
https://pkg.go.dev/vuln/GO-2025-3420
GO-2025-3420 - Go Packages
-
https://go.dev/cl/643100
[release-branch.go1.24] net/http: persist header stripping across repeated redirects (643100) ยท Gerrit Code Review
-
https://security.netapp.com/advisory/ntap-20250221-0003/
CVE-2024-45336 Golang Vulnerability in NetApp Products | NetApp Product Security
Jump to