Published: 13/08/2019 Updated: 07/11/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

net/url in Go prior to 1.11.13 and 1.12.x prior to 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.

Vulnerable Product	Search on Vulmon	Subscribe to Product
golang go
debian debian linux 10.0

Synopsis Moderate: go-toolset:rhel8 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Co ...

Debian Bug report logs - #934954 golang-113: CVE-2019-14809 Package: src:golang-113; Maintainer for src:golang-113 is Go Compiler Team <team+go-compiler@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 17 Aug 2019 08:54:00 UTC Severity: grave Tags: security, upstream Found in ...

Three vulnerabilities have been discovered in the Go programming language; "net/url" accepted some invalid hosts in URLs which could result in authorisation bypass in some applications and the HTTP/2 implementation was susceptible to denial of service For the stable distribution (buster), these problems have been fixed in version 1116-1+deb10u1 ...

net/url in Go before 11113 and 112x before 1128 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number For example, an attacker can compose a crafted javascript:// URL tha ...

Impact: Moderate Public Date: 2019-08-13 CWE: CWE-285 Bugzilla: 1743129: CVE-2019-14809 golang: malform ...

An issue has been found in Go before 1128, where urlParse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications Note that URLs with invalid, not numeric ports will now return an error from urlPars ...

NVD-CWE-noinfo https://github.com/golang/go/issues/29098 https://seclists.org/bugtraq/2019/Aug/31 https://www.debian.org/security/2019/dsa-4503 http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html https://access.redhat.com/errata/RHSA-2019:3433 https://groups.google.com/forum/#%21topic/golang-announce/0uuMm1BwpHE https://groups.google.com/forum/#%21topic/golang-announce/65QixT3tcmg https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/https://access.redhat.com/errata/RHSA-2019:3433 https://nvd.nist.gov https://www.debian.org/security/2019/dsa-4503

CVE-2019-14809

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect