CVE-2024-45258
The req library may send an unintended request when a malformed URL is provided in github.com/imroc/req
描述
The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in applications relying on this library for handling HTTP requests. Despite developers potentially utilizing the net/url library to parse malformed URLs and implement blocklists to prevent HTTP requests to listed URLs, inconsistencies exist between how the net/url and req libraries parse URLs. These discrepancies can lead to the failure of defensive strategies, resulting in potential security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE).
如何修補 CVE-2024-45258
要修補 CVE-2024-45258,請將受影響套件升級到下列已修補版本。
- —升級至 3.43.4 或更新版本
- —未列出修補版本
- —升級至 3.43.4 或更新版本
- —未列出修補版本
- —升級至 3.43.4 或更新版本
- —升級至 3.43.4 或更新版本
CVE-2024-45258 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(6)
- from 0, < 3.43.4
- from 0
- from 0, < 3.43.4
- from 0
- from 0, < 3.43.4
- from 0, < 3.43.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |