CVE-2024-45258

The req package before 3.43.4 for Go may send an unintended request when a malformed URL is provided, because cleanHost in http.go intentionally uses a "garbage in, garbage out" design.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/imroc/req/commit/04e3ece5b380ecad9da3551c449f1b8a9aa76d3d
https://github.com/imroc/req/compare/v3.43.3...v3.43.4

Configurations

No configuration.

History

26 Aug 2024, 14:35

Type	Values Removed	Values Added
CWE		CWE-20
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

26 Aug 2024, 12:47

Type	Values Removed	Values Added
Summary		(es) El paquete req anterior a 3.43.4 para Go puede enviar una solicitud no deseada cuando se proporciona una URL con formato incorrecto, porque cleanHost en http.go utiliza intencionalmente un diseño de "basura que entra, basura sale".

25 Aug 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-25 22:15

Updated : 2024-08-26 14:35

NVD link : CVE-2024-45258

Mitre link : CVE-2024-45258

CVE.ORG link : CVE-2024-45258

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

9.8 /10