CVE-2023-29406 - Vulnerability Details

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0023.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Golang	Go
Redhat	Advanced Cluster Security Cryostat Enterprise Linux Logging Migration Toolkit Applications Network Observ Optr Openshift Openshift Api Data Protection Openshift Data Foundation Openshift Distributed Tracing Openshift Secondary Scheduler Openshift Serverless Openstack Rhmt Run Once Duration Override Operator Satellite Serverless Stf

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

Package	CPE	Advisory	Released Date
Cryostat 2 on RHEL 8
cryostat-tech-preview/cryostat-rhel8-operator:2.3.1-11	cpe:/a:redhat:cryostat:2::el8	RHSA-2023:6031	2023-10-23T00:00:00Z
MTA-6.2-RHEL-8
mta/mta-rhel8-operator:6.2.2-3	cpe:/a:redhat:migration_toolkit_applications:6.2::el8	RHSA-2024:1027	2024-02-28T00:00:00Z
MTA-6.2-RHEL-9
mta/mta-hub-rhel9:6.2.2-2	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2024:1027	2024-02-28T00:00:00Z
mta/mta-operator-bundle:6.2.2-5	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2024:1027	2024-02-28T00:00:00Z
mta/mta-pathfinder-rhel9:6.2.2-2	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2024:1027	2024-02-28T00:00:00Z
mta/mta-ui-rhel9:6.2.2-2	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2024:1027	2024-02-28T00:00:00Z
mta/mta-windup-addon-rhel9:6.2.2-3	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2024:1027	2024-02-28T00:00:00Z
NETWORK-OBSERVABILITY-1.4.0-RHEL-9
network-observability/network-observability-rhel9-operator:v1.4.0-51	cpe:/a:redhat:network_observ_optr:1.4.0::el9	RHSA-2023:5974	2023-10-20T00:00:00Z
OADP-1.1-RHEL-8
oadp/oadp-velero-rhel8:1.1.7-6	cpe:/a:redhat:openshift_api_data_protection:1.1::el8	RHSA-2023:6115	2023-10-25T00:00:00Z
Openshift Serverless 1 on RHEL 8
openshift-serverless-clients-0:1.9.2-4.el8	cpe:/a:redhat:serverless:1.0::el8	RHSA-2023:6298	2023-11-03T00:00:00Z
OSSO-1.1-RHEL-8
openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8:v1.1-37	cpe:/a:redhat:openshift_secondary_scheduler:1.1::el8	RHSA-2023:5933	2023-10-26T00:00:00Z
Red Hat Advanced Cluster Security 4.4
advanced-cluster-security/rhacs-main-rhel8:4.4.0-17	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:1570	2024-03-28T00:00:00Z
Red Hat Enterprise Linux 8
git-lfs-0:3.4.1-1.el8	cpe:/a:redhat:enterprise_linux:8	RHBA-2024:3053	2024-05-22T00:00:00Z
go-toolset:rhel8-8080020231013004859.6b4b45d8	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:5721	2023-10-16T00:00:00Z
container-tools:4.0-8090020230828093056.e7857ab1	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:6938	2023-11-14T00:00:00Z
container-tools:rhel8-8090020230825121312.e7857ab1	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:6939	2023-11-14T00:00:00Z
container-tools:4.0-8090020231009143402.d7b6f4b7	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:7202	2023-11-14T00:00:00Z
Red Hat Enterprise Linux 9
git-lfs-0:3.4.1-1.el9	cpe:/a:redhat:enterprise_linux:9	RHBA-2024:2274	2024-04-30T00:00:00Z
golang-0:1.19.13-1.el9_2	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:5738	2023-10-16T00:00:00Z
toolbox-0:0.0.99.4-6.el9_3	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6346	2023-11-07T00:00:00Z
skopeo-2:1.13.3-1.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6363	2023-11-07T00:00:00Z
containernetworking-plugins-1:1.3.0-4.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6402	2023-11-07T00:00:00Z
buildah-1:1.31.3-1.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6473	2023-11-07T00:00:00Z
podman-2:4.6.1-5.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6474	2023-11-07T00:00:00Z
Red Hat Migration Toolkit for Containers 1.7
rhmtc/openshift-velero-plugin-rhel8:v1.7.14-3	cpe:/a:redhat:rhmt:1.7::el8	RHSA-2023:6161	2023-10-30T00:00:00Z
Red Hat OpenShift Container Platform 4.14
openshift-clients-0:4.14.0-202311031050.p0.g9b1e0d2.assembly.stream.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:6840	2023-11-15T00:00:00Z
openshift-0:4.14.0-202401121302.p0.ge36e183.assembly.stream.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2024:0293	2024-01-23T00:00:00Z
Red Hat OpenShift distributed tracing 2
jaeger-agent-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
jaeger-all-in-one-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
jaeger-collector-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
jaeger-es-index-cleaner-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
jaeger-es-rollover-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
jaeger-ingester-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
jaeger-operator-bundle-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
jaeger-operator-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
jaeger-query-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
opentelemetry-collector-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
opentelemetry-operator-bundle-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
opentelemetry-operator-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
tempo-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
tempo-gateway-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
tempo-gateway-opa-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
tempo-operator-bundle-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
tempo-operator-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
tempo-query-container	cpe:/a:redhat:openshift_distributed_tracing:2.9::el8	RHSA-2023:6085	2023-10-24T00:00:00Z
Red Hat OpenShift Serverless 1.30
openshift-serverless-1/client-kn-rhel8:1.9.2-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-controller-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-kafka-broker-controller-rhel8:1.9.0-9	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-kafka-broker-dispatcher-rhel8:1.9.0-9	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-kafka-broker-post-install-rhel8:1.9.0-9	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-kafka-broker-receiver-rhel8:1.9.0-9	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-kafka-broker-webhook-rhel8:1.9.0-9	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-mtbroker-filter-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-mtbroker-ingress-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-mtchannel-broker-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-mtping-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-storage-version-migration-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/eventing-webhook-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/func-utils-rhel8:1.30.2-2	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/ingress-rhel8-operator:1.30.2-3	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/knative-rhel8-operator:1.30.2-3	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/kn-cli-artifacts-rhel8:1.9.2-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/kourier-control-rhel8:1.9.0-5	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/net-istio-controller-rhel8:1.9.0-5	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/net-istio-webhook-rhel8:1.9.0-5	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/serverless-operator-bundle:1.30.2-2	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/serverless-rhel8-operator:1.30.2-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/serving-activator-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/serving-autoscaler-hpa-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/serving-autoscaler-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/serving-controller-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/serving-domain-mapping-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/serving-domain-mapping-webhook-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/serving-queue-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/serving-storage-version-migration-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/serving-webhook-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1/svls-must-gather-rhel8:1.30.2-1	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1-tech-preview/eventing-istio-controller-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1-tech-preview/knative-client-plugin-event-sender-rhel8:1.9.0-4	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8:1.30.0-8	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1-tech-preview/logic-swf-builder-rhel8:1.30.0-9	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8:1.30.0-9	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:6296	2023-11-02T00:00:00Z
Red Hat OpenStack Platform 16.2
rhosp-rhel8/osp-director-agent:1.3.0-10	cpe:/a:redhat:openstack:16.2::el8	RHSA-2023:5935	2023-10-19T00:00:00Z
rhosp-rhel8/osp-director-downloader:1.3.0-11	cpe:/a:redhat:openstack:16.2::el8	RHSA-2023:5935	2023-10-19T00:00:00Z
rhosp-rhel8/osp-director-operator:1.3.0-9	cpe:/a:redhat:openstack:16.2::el8	RHSA-2023:5935	2023-10-19T00:00:00Z
rhosp-rhel8/osp-director-operator-bundle:1.3.0-19	cpe:/a:redhat:openstack:16.2::el8	RHSA-2023:5935	2023-10-19T00:00:00Z
etcd-0:3.3.23-15.el8ost	cpe:/a:redhat:openstack:16.2::el8	RHSA-2023:5965	2023-10-20T00:00:00Z
Red Hat Satellite 6.14 for RHEL 8
yggdrasil-worker-forwarder-0:0.0.3-1.el8sat	cpe:/a:redhat:satellite:6.14::el8	RHSA-2023:6818	2023-11-08T00:00:00Z
RHODF-4.15-RHEL-9
odf4/cephcsi-rhel9:v4.15.0-37	cpe:/a:redhat:openshift_data_foundation:4.15::el9	RHSA-2024:1383	2024-03-19T00:00:00Z
RHOL-5.6-RHEL-8
openshift-logging/logging-loki-rhel8:v2.9.2-2	cpe:/a:redhat:logging:5.6::el8	RHSA-2023:5541	2023-10-20T00:00:00Z
RHOL-5.7-RHEL-8
openshift-logging/logging-loki-rhel8:v2.9.2-1	cpe:/a:redhat:logging:5.7::el8	RHSA-2023:5530	2023-10-20T00:00:00Z
RODOO-1.0-RHEL-8
run-once-duration-override-operator/run-once-duration-override-rhel8:v1.0-30	cpe:/a:redhat:run_once_duration_override_operator:1.0::el8	RHSA-2023:5947	2023-10-26T00:00:00Z
STF-1.5-RHEL-8
stf/prometheus-webhook-snmp-rhel8:1.5.2-8	cpe:/a:redhat:stf:1.5::el8	RHSA-2023:5976	2023-10-20T00:00:00Z
stf/service-telemetry-operator-bundle:1.5.1697612918-1	cpe:/a:redhat:stf:1.5::el8	RHSA-2023:5976	2023-10-20T00:00:00Z
stf/service-telemetry-rhel8-operator:1.5.1-8	cpe:/a:redhat:stf:1.5::el8	RHSA-2023:5976	2023-10-20T00:00:00Z
stf/sg-bridge-rhel8:1.5.0-18	cpe:/a:redhat:stf:1.5::el8	RHSA-2023:5976	2023-10-20T00:00:00Z
stf/sg-core-rhel8:5.1.1-8	cpe:/a:redhat:stf:1.5::el8	RHSA-2023:5976	2023-10-20T00:00:00Z
stf/smart-gateway-operator-bundle:5.0.1697612918-1	cpe:/a:redhat:stf:1.5::el8	RHSA-2023:5976	2023-10-20T00:00:00Z
stf/smart-gateway-rhel8-operator:5.0.1-9	cpe:/a:redhat:stf:1.5::el8	RHSA-2023:5976	2023-10-20T00:00:00Z

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://go.dev/cl/506996
https://go.dev/issue/60374
https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
https://nvd.nist.gov/vuln/detail/CVE-2023-29406
https://pkg.go.dev/vuln/GO-2023-1878
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20230814-0002/
https://www.cve.org/CVERecord?id=CVE-2023-29406

History

Tue, 17 Jun 2025 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat stf
CPEs	~~cpe:/a:redhat:service_telemetry_framework:1.5::el8~~	cpe:/a:redhat:stf:1.5::el8
Vendors & Products	Redhat service Telemetry Framework	Redhat stf

Thu, 07 Nov 2024 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 08 Sep 2024 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Distributed Tracing
CPEs		cpe:/a:redhat:openshift_distributed_tracing:2.9::el8
Vendors & Products		Redhat openshift Distributed Tracing

Mon, 19 Aug 2024 22:30:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:openshift_distributed_tracing:2.9::el8~~
Vendors & Products	Redhat openshift Distributed Tracing

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2023-07-11T19:23:58.511Z

Updated: 2025-02-13T16:49:14.579Z

Reserved: 2023-04-05T19:36:35.043Z

Link: CVE-2023-29406

Vulnrichment

Updated: 2024-08-02T14:07:45.735Z

NVD

Status : Modified

Published: 2023-07-11T20:15:10.643

Modified: 2024-11-21T07:56:59.913

Link: CVE-2023-29406

Redhat

Severity : Moderate

Publid Date: 2023-07-11T00:00:00Z

Links: CVE-2023-29406 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object