#VU103455 Information disclosure in Go programming language - CVE-2024-45336

Cybersecurity Help s.r.o.

Published: 2025-01-30

Vulnerability identifier: #VU103455

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-45336

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the HTTP client will send Authorization header to a third-party domain after a chain of redirects. A remote attacker can gain unauthorized access to credentials.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.22.0 - 1.24 rc1

External links
https://go.dev/cl/643100
https://go.dev/issue/70530
https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ
https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
https://pkg.go.dev/vuln/GO-2025-3420

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Security

Multiple vulnerabilities in Oracle Linux

Oracle Solaris update for third-party components

Multiple vulnerabilities in OpenShift Service Mesh 2.5

Red Hat Enterprise Linux 8 update for the go-toolset:rhel8 module

Multiple vulnerabilities in IBM Maximo Application Suite

Multiple vulnerabilities in OpenShift Logging 6.1

openEuler 20.03 LTS SP4 update for golang

openEuler 22.03 LTS SP3 update for golang

openEuler 24.03 LTS update for golang