Vulnerability-Lookup

WID-SEC-W-2025-0111

Vulnerability from csaf_certbund - Published: 2025-01-16 23:00 - Updated: 2025-06-19 22:00

Summary

Golang Go: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Go ist eine quelloffene Programmiersprache.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Golang Go ausnutzen, um einen Denial of Service Angriff durchzuführen, Sicherheitsmaßnahmen zu umgehen und vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2024-45336

CVE-2024-45340

CVE-2024-45341

CVE-2025-22865

References

URL

Category

	https://wid.cert-bund.de/.well-known/csaf/white/2…	self
	https://wid.cert-bund.de/portal/wid/securityadvis…	self
	https://groups.google.com/g/golang-announce/c/L8j…	external
	https://groups.google.com/g/golang-announce/c/sSa…	external
	https://go.dev/issue/71156	external
	https://go.dev/issue/70530	external
	https://go.dev/issue/71249	external
	https://go.dev/issue/71216	external
	https://lists.opensuse.org/archives/list/security…	external
	https://lists.opensuse.org/archives/list/security…	external
	https://lists.opensuse.org/archives/list/security…	external
	https://lists.opensuse.org/archives/list/security…	external
	https://lists.opensuse.org/archives/list/security…	external
	https://access.redhat.com/errata/RHSA-2025:3131	external
	https://access.redhat.com/errata/RHSA-2025:3335	external
	https://access.redhat.com/errata/RHSA-2025:3593	external
	https://access.redhat.com/errata/RHSA-2025:3772	external
	https://linux.oracle.com/errata/ELSA-2025-3772.html	external
	https://access.redhat.com/errata/RHSA-2025:3922	external
	https://www.ibm.com/support/pages/node/7232437	external
	https://access.redhat.com/errata/RHSA-2025:4666	external
	https://access.redhat.com/errata/RHSA-2025:4667	external
	https://access.redhat.com/errata/RHSA-2025:4810	external
	https://access.redhat.com/errata/RHSA-2025:7326	external
	https://access.redhat.com/errata/RHSA-2025:7466	external
	https://access.redhat.com/errata/RHSA-2025:7624	external
	https://lists.suse.com/pipermail/sle-security-upd…	external
	https://security.business.xerox.com/wp-content/up…	external
	https://ubuntu.com/security/notices/USN-7574-1	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Go ist eine quelloffene Programmiersprache.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Golang Go ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen und vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0111 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0111.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0111 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0111"
      },
      {
        "category": "external",
        "summary": "Golang Announce vom 2025-01-16",
        "url": "https://groups.google.com/g/golang-announce/c/L8jWYHEfOlQ"
      },
      {
        "category": "external",
        "summary": "Golang Announce vom 2025-01-16",
        "url": "https://groups.google.com/g/golang-announce/c/sSaUhLA-2SI"
      },
      {
        "category": "external",
        "summary": "Go Issue vom 2025-01-16",
        "url": "https://go.dev/issue/71156"
      },
      {
        "category": "external",
        "summary": "Go Issue vom 2025-01-16",
        "url": "https://go.dev/issue/70530"
      },
      {
        "category": "external",
        "summary": "Go Issue vom 2025-01-16",
        "url": "https://go.dev/issue/71249"
      },
      {
        "category": "external",
        "summary": "Go Issue vom 2025-01-16",
        "url": "https://go.dev/issue/71216"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:14694-1 vom 2025-01-26",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q3ZTZP3RXZGJRRPGSFEUWJMYPA5WPOPW/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:14695-1 vom 2025-01-26",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YRIXY47SJKPKQTDVCPRO6E2DUY5GPEEU/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:14693-1 vom 2025-01-25",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZW52JECN55QJ6BSQ4PZXG4RAAPBRCVGB/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:0280-1 vom 2025-01-29",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/RQNJ3CKJG63VZGTT4HRQJYBPGOWBUF5C/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:0285-1 vom 2025-01-29",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/TEFUHGEYXH2V4IV65LVVWOSXPYD2UOCT/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3131 vom 2025-03-26",
        "url": "https://access.redhat.com/errata/RHSA-2025:3131"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3335 vom 2025-03-27",
        "url": "https://access.redhat.com/errata/RHSA-2025:3335"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3593 vom 2025-04-03",
        "url": "https://access.redhat.com/errata/RHSA-2025:3593"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3772 vom 2025-04-10",
        "url": "https://access.redhat.com/errata/RHSA-2025:3772"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2025-3772 vom 2025-04-10",
        "url": "https://linux.oracle.com/errata/ELSA-2025-3772.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3922 vom 2025-04-15",
        "url": "https://access.redhat.com/errata/RHSA-2025:3922"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7232437 vom 2025-05-03",
        "url": "https://www.ibm.com/support/pages/node/7232437"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:4666 vom 2025-05-07",
        "url": "https://access.redhat.com/errata/RHSA-2025:4666"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:4667 vom 2025-05-07",
        "url": "https://access.redhat.com/errata/RHSA-2025:4667"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:4810 vom 2025-05-12",
        "url": "https://access.redhat.com/errata/RHSA-2025:4810"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:7326 vom 2025-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2025:7326"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:7466 vom 2025-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2025:7466"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:7624 vom 2025-05-14",
        "url": "https://access.redhat.com/errata/RHSA-2025:7624"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:01731-1 vom 2025-05-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-May/020921.html"
      },
      {
        "category": "external",
        "summary": "XEROX Security Advisory XRX25-012 vom 2025-06-02",
        "url": "https://security.business.xerox.com/wp-content/uploads/2025/06/Xerox-Security-Bulletin-XRX25-012-for-Xerox-FreeFlow-Print-Server-v9.pdf"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7574-1 vom 2025-06-19",
        "url": "https://ubuntu.com/security/notices/USN-7574-1"
      }
    ],
    "source_lang": "en-US",
    "title": "Golang Go: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-06-19T22:00:00.000+00:00",
      "generator": {
        "date": "2025-06-20T08:12:54.603+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0111",
      "initial_release_date": "2025-01-16T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-01-16T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-01-26T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2025-01-28T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2025-01-29T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2025-03-26T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-03-27T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-04-03T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-04-09T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-04-10T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2025-04-15T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-05-04T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-05-07T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-05-12T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-05-13T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-05-14T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-05-29T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2025-06-02T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von XEROX aufgenommen"
        },
        {
          "date": "2025-06-19T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        }
      ],
      "status": "final",
      "version": "18"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.24rc2",
                "product": {
                  "name": "Golang Go \u003c1.24rc2",
                  "product_id": "T040382"
                }
              },
              {
                "category": "product_version",
                "name": "1.24rc2",
                "product": {
                  "name": "Golang Go 1.24rc2",
                  "product_id": "T040382-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:golang:go:1.24rc2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.24",
                "product": {
                  "name": "Golang Go \u003c1.24",
                  "product_id": "T040383"
                }
              },
              {
                "category": "product_version",
                "name": "1.24",
                "product": {
                  "name": "Golang Go 1.24",
                  "product_id": "T040383-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:golang:go:1.24"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.23.5",
                "product": {
                  "name": "Golang Go \u003c1.23.5",
                  "product_id": "T040384"
                }
              },
              {
                "category": "product_version",
                "name": "1.23.5",
                "product": {
                  "name": "Golang Go 1.23.5",
                  "product_id": "T040384-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:golang:go:1.23.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.22.11",
                "product": {
                  "name": "Golang Go \u003c1.22.11",
                  "product_id": "T040385"
                }
              },
              {
                "category": "product_version",
                "name": "1.22.11",
                "product": {
                  "name": "Golang Go 1.22.11",
                  "product_id": "T040385-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:golang:go:1.22.11"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Go"
          }
        ],
        "category": "vendor",
        "name": "Golang"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c24.0.1-IF002",
                "product": {
                  "name": "IBM Business Automation Workflow \u003c24.0.1-IF002",
                  "product_id": "T043290"
                }
              },
              {
                "category": "product_version",
                "name": "24.0.1-IF002",
                "product": {
                  "name": "IBM Business Automation Workflow 24.0.1-IF002",
                  "product_id": "T043290-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:business_automation_workflow:24.0.1-if002"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c24.0.0-IF005",
                "product": {
                  "name": "IBM Business Automation Workflow \u003c24.0.0-IF005",
                  "product_id": "T043291"
                }
              },
              {
                "category": "product_version",
                "name": "24.0.0-IF005",
                "product": {
                  "name": "IBM Business Automation Workflow 24.0.0-IF005",
                  "product_id": "T043291-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:business_automation_workflow:24.0.0-if005"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Business Automation Workflow"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "9",
                "product": {
                  "name": "Xerox FreeFlow Print Server 9",
                  "product_id": "T002977",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:xerox:freeflow_print_server:9"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FreeFlow Print Server"
          }
        ],
        "category": "vendor",
        "name": "Xerox"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-45336",
      "product_status": {
        "known_affected": [
          "T040384",
          "T040383",
          "T040382",
          "T002207",
          "67646",
          "T000126",
          "T043290",
          "T043291",
          "T027843",
          "T002977",
          "T004914",
          "T040385"
        ]
      },
      "release_date": "2025-01-16T23:00:00.000+00:00",
      "title": "CVE-2024-45336"
    },
    {
      "cve": "CVE-2024-45340",
      "product_status": {
        "known_affected": [
          "T040384",
          "T040383",
          "T040382",
          "T002207",
          "67646",
          "T000126",
          "T043290",
          "T043291",
          "T027843",
          "T002977",
          "T004914",
          "T040385"
        ]
      },
      "release_date": "2025-01-16T23:00:00.000+00:00",
      "title": "CVE-2024-45340"
    },
    {
      "cve": "CVE-2024-45341",
      "product_status": {
        "known_affected": [
          "T040384",
          "T040383",
          "T040382",
          "T002207",
          "67646",
          "T000126",
          "T043290",
          "T043291",
          "T027843",
          "T002977",
          "T004914",
          "T040385"
        ]
      },
      "release_date": "2025-01-16T23:00:00.000+00:00",
      "title": "CVE-2024-45341"
    },
    {
      "cve": "CVE-2025-22865",
      "product_status": {
        "known_affected": [
          "T040384",
          "T040383",
          "T040382",
          "T002207",
          "67646",
          "T000126",
          "T043290",
          "T043291",
          "T027843",
          "T002977",
          "T004914",
          "T040385"
        ]
      },
      "release_date": "2025-01-16T23:00:00.000+00:00",
      "title": "CVE-2025-22865"
    }
  ]
}

CVE-2024-45336 (GCVE-0-2024-45336)

Vulnerability from cvelistv5 – Published: 2025-01-28 01:03 – Updated: 2025-09-18 18:41

Title

Sensitive headers incorrectly sent after cross-domain redirect in net/http

Summary

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-201 - Insertion of Sensitive Information Into Sent Data

Assigner

References

URL

Tags

	https://go.dev/cl/643100
	https://go.dev/issue/70530
	https://groups.google.com/g/golang-dev/c/CAWXhan3…
	https://groups.google.com/g/golang-dev/c/bG8cv1mu…
	https://pkg.go.dev/vuln/GO-2025-3420

Impacted products

	Vendor	Product	Version
	Go standard library	net/http	Affected: 0 , < 1.22.11 (semver) Affected: 1.23.0-0 , < 1.23.5 (semver) Affected: 1.24.0-0 , < 1.24.0-rc.2 (semver)

Credits

Kyle Seely

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45336",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-28T14:56:59.058895Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-28T15:16:38.044Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-02-21T18:03:31.299Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250221-0003/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/http",
          "product": "net/http",
          "programRoutines": [
            {
              "name": "Client.do"
            },
            {
              "name": "Client.makeHeadersCopier"
            },
            {
              "name": "shouldCopyHeaderOnRedirect"
            },
            {
              "name": "Client.Do"
            },
            {
              "name": "Client.Get"
            },
            {
              "name": "Client.Head"
            },
            {
              "name": "Client.Post"
            },
            {
              "name": "Client.PostForm"
            },
            {
              "name": "Get"
            },
            {
              "name": "Head"
            },
            {
              "name": "Post"
            },
            {
              "name": "PostForm"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.22.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.23.5",
              "status": "affected",
              "version": "1.23.0-0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.24.0-rc.2",
              "status": "affected",
              "version": "1.24.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Kyle Seely"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-18T18:41:11.116Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/643100"
        },
        {
          "url": "https://go.dev/issue/70530"
        },
        {
          "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ"
        },
        {
          "url": "https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3420"
        }
      ],
      "title": "Sensitive headers incorrectly sent after cross-domain redirect in net/http"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2024-45336",
    "datePublished": "2025-01-28T01:03:24.869Z",
    "dateReserved": "2024-08-27T19:41:58.555Z",
    "dateUpdated": "2025-09-18T18:41:11.116Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45341 (GCVE-0-2024-45341)

Vulnerability from cvelistv5 – Published: 2025-01-28 01:03 – Updated: 2025-02-21 18:03

Title

Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509

Summary

A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-295 - Improper Certificate Validation

Assigner

References

URL

Tags

	https://go.dev/cl/643099
	https://go.dev/issue/71156
	https://groups.google.com/g/golang-dev/c/bG8cv1mu…
	https://groups.google.com/g/golang-dev/c/CAWXhan3…
	https://pkg.go.dev/vuln/GO-2025-3373

Impacted products

	Vendor	Product	Version
	Go standard library	crypto/x509	Affected: 0 , < 1.22.11 (semver) Affected: 1.23.0-0 , < 1.23.5 (semver) Affected: 1.24.0-0 , < 1.24.0-rc.2 (semver)

Credits

Juho Forsén of Mattermost

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45341",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-28T14:57:00.467281Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-28T15:16:58.278Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-02-21T18:03:33.296Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250221-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "matchURIConstraint"
            },
            {
              "name": "CertPool.AppendCertsFromPEM"
            },
            {
              "name": "Certificate.CheckCRLSignature"
            },
            {
              "name": "Certificate.CheckSignature"
            },
            {
              "name": "Certificate.CheckSignatureFrom"
            },
            {
              "name": "Certificate.CreateCRL"
            },
            {
              "name": "Certificate.Verify"
            },
            {
              "name": "Certificate.VerifyHostname"
            },
            {
              "name": "CertificateRequest.CheckSignature"
            },
            {
              "name": "CreateCertificate"
            },
            {
              "name": "CreateCertificateRequest"
            },
            {
              "name": "CreateRevocationList"
            },
            {
              "name": "DecryptPEMBlock"
            },
            {
              "name": "EncryptPEMBlock"
            },
            {
              "name": "HostnameError.Error"
            },
            {
              "name": "MarshalECPrivateKey"
            },
            {
              "name": "MarshalPKCS1PrivateKey"
            },
            {
              "name": "MarshalPKCS1PublicKey"
            },
            {
              "name": "MarshalPKCS8PrivateKey"
            },
            {
              "name": "MarshalPKIXPublicKey"
            },
            {
              "name": "ParseCRL"
            },
            {
              "name": "ParseCertificate"
            },
            {
              "name": "ParseCertificateRequest"
            },
            {
              "name": "ParseCertificates"
            },
            {
              "name": "ParseDERCRL"
            },
            {
              "name": "ParseECPrivateKey"
            },
            {
              "name": "ParsePKCS1PrivateKey"
            },
            {
              "name": "ParsePKCS1PublicKey"
            },
            {
              "name": "ParsePKCS8PrivateKey"
            },
            {
              "name": "ParsePKIXPublicKey"
            },
            {
              "name": "ParseRevocationList"
            },
            {
              "name": "RevocationList.CheckSignatureFrom"
            },
            {
              "name": "SetFallbackRoots"
            },
            {
              "name": "SystemCertPool"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.22.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.23.5",
              "status": "affected",
              "version": "1.23.0-0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.24.0-rc.2",
              "status": "affected",
              "version": "1.24.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Juho Fors\u00e9n of Mattermost"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-30T19:14:21.421Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/643099"
        },
        {
          "url": "https://go.dev/issue/71156"
        },
        {
          "url": "https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ"
        },
        {
          "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3373"
        }
      ],
      "title": "Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2024-45341",
    "datePublished": "2025-01-28T01:03:24.353Z",
    "dateReserved": "2024-08-27T19:41:58.556Z",
    "dateUpdated": "2025-02-21T18:03:33.296Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45340 (GCVE-0-2024-45340)

Vulnerability from cvelistv5 – Published: 2025-01-28 01:03 – Updated: 2025-01-30 19:14

Title

GOAUTH credential leak in cmd/go

Summary

Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-201 - Insertion of Sensitive Information Into Sent Data

Assigner

References

URL

Tags

	https://go.dev/cl/643097
	https://go.dev/issue/71249
	https://groups.google.com/g/golang-dev/c/CAWXhan3…
	https://pkg.go.dev/vuln/GO-2025-3383

Impacted products

	Vendor	Product	Version
	Go toolchain	cmd/go	Affected: 1.24.0-0 , < 1.24.0-rc.2 (semver)

Credits

Juho Forsén of Mattermost

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45340",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-28T14:57:35.666224Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-28T15:16:48.229Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/go",
          "product": "cmd/go",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.24.0-rc.2",
              "status": "affected",
              "version": "1.24.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Juho Fors\u00e9n of Mattermost"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-30T19:14:21.639Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/643097"
        },
        {
          "url": "https://go.dev/issue/71249"
        },
        {
          "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3383"
        }
      ],
      "title": "GOAUTH credential leak in cmd/go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2024-45340",
    "datePublished": "2025-01-28T01:03:24.605Z",
    "dateReserved": "2024-08-27T19:41:58.556Z",
    "dateUpdated": "2025-01-30T19:14:21.639Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22865 (GCVE-0-2025-22865)

Vulnerability from cvelistv5 – Published: 2025-01-28 01:03 – Updated: 2025-01-30 19:14

Title

ParsePKCS1PrivateKey panic with partial keys in crypto/x509

Summary

Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-228 - Improper Handling of Syntactically Invalid Structure

Assigner

References

URL

Tags

	https://go.dev/cl/643098
	https://go.dev/issue/71216
	https://groups.google.com/g/golang-dev/c/CAWXhan3…
	https://pkg.go.dev/vuln/GO-2025-3421

Impacted products

	Vendor	Product	Version
	Go standard library	crypto/x509	Affected: 1.24.0-0 , < 1.24.0-rc.2 (semver)

Credits

Philippe Antoine (Catena cyber)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22865",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-28T14:58:11.060442Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-28T15:16:25.641Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "ParsePKCS1PrivateKey"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.0-rc.2",
              "status": "affected",
              "version": "1.24.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Philippe Antoine (Catena cyber)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-228: Improper Handling of Syntactically Invalid Structure",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-30T19:14:21.959Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/643098"
        },
        {
          "url": "https://go.dev/issue/71216"
        },
        {
          "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3421"
        }
      ],
      "title": "ParsePKCS1PrivateKey panic with partial keys in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-22865",
    "datePublished": "2025-01-28T01:03:25.121Z",
    "dateReserved": "2025-01-08T19:11:42.833Z",
    "dateUpdated": "2025-01-30T19:14:21.959Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-0111

CVE-2024-45336 (GCVE-0-2024-45336)

CVE-2024-45341 (GCVE-0-2024-45341)

CVE-2024-45340 (GCVE-0-2024-45340)

CVE-2025-22865 (GCVE-0-2025-22865)

Tags

Sightings

Nomenclature