Vulnerability Report: GO-2022-0211
- CVE-2019-14809
- Affects: net/url
- Published: Jul 01, 2022
- Modified: Jun 12, 2023
The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.
Affected Packages
-
PathVersionsSymbols
-
before go1.11.13, from go1.12.0-0 before go1.12.8
Aliases
References
- https://go.dev/cl/189258
- https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6
- https://go.dev/issue/29098
- https://groups.google.com/g/golang-announce/c/65QixT3tcmg
- https://vuln.go.dev/ID/GO-2022-0211.json
Credits
- Julian HectorNikolai Krein from Cure53, Adi Cohen (adico.me)
Feedback
See anything missing or incorrect?
Suggest an edit to this report.