Vulnerability Report: GO-2022-0211

CVE-2019-14809
Affects: net/url
Published: Jul 01, 2022
Modified: Jun 12, 2023

The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.

Affected Packages

Path

Versions

Symbols
net/url

before go1.11.13, from go1.12.0-0 before go1.12.8
- URL.Hostname
- URL.Port

Aliases

CVE-2019-14809

References

https://go.dev/cl/189258
https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6
https://go.dev/issue/29098
https://groups.google.com/g/golang-announce/c/65QixT3tcmg
https://vuln.go.dev/ID/GO-2022-0211.json

Credits

Julian HectorNikolai Krein from Cure53, Adi Cohen (adico.me)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL