Amazon Linux 2023: CVE-2023-29406: Important priority package update for golang (Multiple Advisories)

Amazon Linux 2023: CVE-2023-29406: Important priority package update for golang (Multiple Advisories)

Severity

8

CVSS

(AV:N/AC:L/Au:N/C:N/I:C/A:N)

Published

07/11/2023

Created

02/14/2025

Added

02/14/2025

Modified

02/14/2025

Description

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. A flaw was found in Golang, where it is vulnerable to HTTP header injection caused by improper content validation of the Host header by the HTTP/1 client. A remote attacker can inject arbitrary HTTP headers by persuading a victim to visit a specially crafted Web page. This flaw allows the attacker to conduct various attacks against the vulnerable system, including Cross-site scripting, cache poisoning, or session hijacking.

Solution(s)

• amazon-linux-2023-upgrade-amazon-ecr-credential-helper
• amazon-linux-2023-upgrade-amazon-ssm-agent
• amazon-linux-2023-upgrade-amazon-ssm-agent-debuginfo
• amazon-linux-2023-upgrade-amazon-ssm-agent-debugsource
• amazon-linux-2023-upgrade-cni-plugins
• amazon-linux-2023-upgrade-cni-plugins-debuginfo
• amazon-linux-2023-upgrade-cni-plugins-debugsource
• amazon-linux-2023-upgrade-containerd
• amazon-linux-2023-upgrade-containerd-debuginfo
• amazon-linux-2023-upgrade-containerd-debugsource
• amazon-linux-2023-upgrade-containerd-stress
• amazon-linux-2023-upgrade-containerd-stress-debuginfo
• amazon-linux-2023-upgrade-docker
• amazon-linux-2023-upgrade-docker-debuginfo
• amazon-linux-2023-upgrade-docker-debugsource
• amazon-linux-2023-upgrade-ecs-init
• amazon-linux-2023-upgrade-golang
• amazon-linux-2023-upgrade-golang-bin
• amazon-linux-2023-upgrade-golang-docs
• amazon-linux-2023-upgrade-golang-misc
• amazon-linux-2023-upgrade-golang-shared
• amazon-linux-2023-upgrade-golang-src
• amazon-linux-2023-upgrade-golang-tests
• amazon-linux-2023-upgrade-nerdctl
• amazon-linux-2023-upgrade-oci-add-hooks
• amazon-linux-2023-upgrade-oci-add-hooks-debuginfo
• amazon-linux-2023-upgrade-oci-add-hooks-debugsource
• amazon-linux-2023-upgrade-runc
• amazon-linux-2023-upgrade-runc-debuginfo
• amazon-linux-2023-upgrade-runc-debugsource

References

• https://attackerkb.com/topics/cve-2023-29406
• CVE - 2023-29406
• https://alas.aws.amazon.com/AL2023/ALAS-2023-283.html
• https://alas.aws.amazon.com/AL2023/ALAS-2023-311.html
• https://alas.aws.amazon.com/AL2023/ALAS-2023-312.html
• https://alas.aws.amazon.com/AL2023/ALAS-2023-313.html
• https://alas.aws.amazon.com/AL2023/ALAS-2023-338.html
• https://alas.aws.amazon.com/AL2023/ALAS-2023-345.html
• https://alas.aws.amazon.com/AL2023/ALAS-2023-346.html
• https://alas.aws.amazon.com/AL2023/ALAS-2023-347.html
• https://alas.aws.amazon.com/AL2023/ALAS-2023-373.html
• https://alas.aws.amazon.com/AL2023/ALAS-2024-480.html

View more