Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: CVE-2023-45289 affected versions #66696

Closed
ArnoSen opened this issue Apr 5, 2024 · 2 comments
Closed

net/http: CVE-2023-45289 affected versions #66696

ArnoSen opened this issue Apr 5, 2024 · 2 comments
Assignees
@tatianab

Comments

@ArnoSen
Copy link

ArnoSen commented Apr 5, 2024
edited

Go version

n/a

Output of go env in your module/workspace:

n/a

What did you do?

I have been reading the report detailing CVE-2023-45289 at https://mattermost.com/blog/patching-gos-leaky-http-clients/.
This issue has been fixed already in 1.22.1 and 1.21.8
Reading the article, this vulnerability was introduced in https://go-review.googlesource.com/c/go/+/424935 which dates JAN 23 2023.

Prior to this CL, CVE-2023-45289 would not occur because IPv6 addresses would have had square brackets around them.

What did you see happen?

When reading the CVE details at https://www.cve.org/CVERecord?id=CVE-2023-45289, it says all versions up to 1.21.8 are affected.

What did you expect to see?

I would have expected to see that versions released that do not have CL424935 merged would not be affected.

Of course I can understand that earlier versions are supported anymore so maybe it is not relevant but I would like to understand the policy that is maintained for documenting CVE affected versions.
@seankhliao seankhliao changed the title CVE-2023-45289 affected versions net/http: CVE-2023-45289 affected versions Apr 5, 2024
@seankhliao
Copy link
Member

cc @golang/security

@tatianab
Copy link

tatianab commented Apr 5, 2024

Hi, thanks for your comment.

In the general case, it is difficult to determine exactly when a particular vulnerability is introduced, so we err on the side of caution and mark all versions before the fix as vulnerable.

In this particular case, as the article you linked mentions, part of the vulnerability affects versions before https://go-review.googlesource.com/c/go/+/424935 was committed. In addition, that commit was part of Go releases that are old enough to no longer be in our support window.

In cases where the introduced version is known to us, and is recent enough to be within the support window, we would include that in the versions list.

Hope that helps. FYI, if you ever have a further question or suggestion regarding this or another vulnerability report, you can use this issue tracker: https://github.com/golang/vulndb/issues/new/choose (select "Suggest an edit to an existing report").

@tatianab tatianab self-assigned this Apr 5, 2024
@tatianab tatianab closed this as completed Apr 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @seankhliao @ArnoSen