CVE-2023-29406

Public on 2023-07-11

Modified on 2024-04-29

Description

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

Severity

Medium

CVSS v3 Base Score

6.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 2 - Core	amazon-cloudwatch-agent			Pending Fix
Amazon Linux 2023	amazon-cloudwatch-agent			Pending Fix
Amazon Linux 2023	amazon-ecr-credential-helper	2023-09-14	ALAS2023-2023-346	Fixed
Amazon Linux 2 - Core	amazon-ssm-agent	2023-10-12	ALAS2-2023-2303	Fixed
Amazon Linux 2023	amazon-ssm-agent	2023-09-27	ALAS2023-2023-373	Fixed
Amazon Linux 2 - Core	cni-plugins	2023-08-17	ALAS2-2023-2208	Fixed
Amazon Linux 2023	cni-plugins	2023-08-31	ALAS2023-2023-338	Fixed
Amazon Linux 1	containerd	2023-09-27	ALAS-2023-1849	Fixed
Amazon Linux 2 - Ecs Extra	containerd			Pending Fix
Amazon Linux 2 - Docker Extra	containerd	2023-08-17	ALAS2DOCKER-2023-029	Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra	containerd	2023-08-03	ALAS2NITRO-ENCLAVES-2023-026	Fixed
Amazon Linux 2023	containerd	2023-08-17	ALAS2023-2023-312	Fixed
Amazon Linux 2 - Core	cri-tools	2023-08-03	ALAS2-2023-2194	Fixed
Amazon Linux 2 - Docker Extra	docker			Pending Fix
Amazon Linux 2 - Ecs Extra	docker			Pending Fix
Amazon Linux 2023	docker	2023-09-14	ALAS2023-2023-345	Fixed
Amazon Linux 2 - Ecs Extra	ecs-init	2024-01-03	ALAS2ECS-2024-032	Fixed
Amazon Linux 2023	ecs-init	2024-01-03	ALAS2023-2024-480	Fixed
Amazon Linux 1	golang	2023-09-27	ALAS-2023-1848	Fixed
Amazon Linux 2 - Core	golang	2023-08-03	ALAS2-2023-2186	Fixed
Amazon Linux 2023	golang	2023-08-03	ALAS2023-2023-283	Fixed
Amazon Linux 2 - Core	golist	2023-08-03	ALAS2-2023-2185	Fixed
Amazon Linux 2 - Core	nerdctl	2023-08-03	ALAS2-2023-2193	Fixed
Amazon Linux 2023	nerdctl	2023-08-17	ALAS2023-2023-313	Fixed
Amazon Linux 2023	oci-add-hooks	2023-09-14	ALAS2023-2023-347	Fixed
Amazon Linux 2 - Docker Extra	runc	2023-08-17	ALAS2DOCKER-2023-028	Fixed
Amazon Linux 2 - Ecs Extra	runc	2023-08-03	ALAS2ECS-2023-005	Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra	runc	2023-08-03	ALAS2NITRO-ENCLAVES-2023-025	Fixed
Amazon Linux 2023	runc	2023-08-17	ALAS2023-2023-311	Fixed

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
NVD	CVSSv3	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References

Red Hat: CVE-2023-29406 Mitre: CVE-2023-29406