Vulnerability Report: GO-2022-0211
standard library- CVE-2019-14809
- Affects: net/url
- Published: Jul 01, 2022
- Modified: May 20, 2024
The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.
Affected Packages
-
PathGo VersionsSymbols
-
before go1.11.13, from go1.12.0-0 before go1.12.8
Aliases
References
- https://go.dev/cl/189258
- https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6
- https://go.dev/issue/29098
- https://groups.google.com/g/golang-announce/c/65QixT3tcmg
- https://vuln.go.dev/ID/GO-2022-0211.json
Credits
- Julian Hector, Nikolai Krein from Cure53, Adi Cohen (adico.me)
Feedback
See anything missing or incorrect?
Suggest an edit to this report.