Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-4673

Опубликовано: 11 июн. 2025
Источник: redhat
CVSS3: 6.8
EPSS Низкий

Описание

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

A flaw was found in net/http. Handling Proxy-Authorization and Proxy-Authenticate headers during cross-origin redirects allows these headers to be inadvertently forwarded, potentially exposing sensitive authentication credentials. This flaw allows a network-based attacker to manipulate redirect responses, unintentionally exposing authentication details to unauthorized parties.

Отчет

The issue is rated as Moderate because while it can lead to a significant compromise of confidentiality, the attack complexity is high. Successful exploitation requires a specific set of circumstances, including the use of a proxy that relies on these headers for authentication and a user being enticed to interact with a malicious URL. The vulnerability does not allow for arbitrary code execution or a direct compromise of system integrity or availability.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Cryostat 4cryostat/cryostat-storage-rhel9Fix deferred
Custom Metric Autoscaler operator for Red Hat Openshiftcustom-metrics-autoscaler/custom-metrics-autoscaler-rhel8Fix deferred
Deployment Validation Operatordvo/deployment-validation-rhel8-operatorFix deferred
Fence Agents Remediation Operatorworkload-availability/fence-agents-remediation-rhel8-operatorFix deferred
Gatekeeper 3gatekeeper/gatekeeper-rhel9Fix deferred
Kube Descheduler Operatorkube-descheduler-operator/descheduler-rhel9Fix deferred
Logging Subsystem for Red Hat OpenShiftopenshift-logging/logging-loki-rhel9Fix deferred
Logical Volume Manager Storagelvms4/lvms-rhel9-operatorFix deferred
Machine Deletion Remediation Operatorworkload-availability/machine-deletion-remediation-rhel8-operatorFix deferred
Migration Toolkit for Applications 7mta/mta-cli-rhel9Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
https://bugzilla.redhat.com/show_bug.cgi?id=2373305net/http: Sensitive headers not cleared on cross-origin redirect in net/http

EPSS

Процентиль: 12%
0.00044
Низкий

6.8 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-4673

CVSS3: 6.8
ubuntu
2 месяца назад

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

nvd логотип

CVE-2025-4673

CVSS3: 6.8
nvd
2 месяца назад

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

msrc логотип

CVE-2025-4673

CVSS3: 6.8
msrc
около 1 месяца назад

Описание отсутствует

debian логотип

CVE-2025-4673

CVSS3: 6.8
debian
2 месяца назад

Proxy-Authorization and Proxy-Authenticate headers persisted on cross- ...

github логотип

GHSA-62jj-gr2r-5c34

CVSS3: 6.8
github
2 месяца назад

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

EPSS

Процентиль: 12%
0.00044
Низкий

6.8 Medium

CVSS3