Back to search
CVE-2019-14809
Published: Aug 13, 2019
Modified: Aug 5, 2024
PUBLISHED
Description
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://groups.google.com/forum/#%21topic/golang-announce/65QixT3tcmg
x_refsource_CONFIRM
https://github.com/golang/go/issues/29098
x_refsource_CONFIRM
20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update
mailing-list
x_refsource_BUGTRAQ
DSA-4503
vendor-advisory
x_refsource_DEBIAN
openSUSE-SU-2019:2000
vendor-advisory
x_refsource_SUSE
openSUSE-SU-2019:2056
vendor-advisory
x_refsource_SUSE
openSUSE-SU-2019:2072
vendor-advisory
x_refsource_SUSE
FEDORA-2019-55d101a740
vendor-advisory
x_refsource_FEDORA
FEDORA-2019-65db7ad6c7
vendor-advisory
x_refsource_FEDORA
openSUSE-SU-2019:2085
vendor-advisory
x_refsource_SUSE
openSUSE-SU-2019:2130
vendor-advisory
x_refsource_SUSE
RHSA-2019:3433
vendor-advisory
x_refsource_REDHAT
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now