data/reports/GO-2022-0211.yaml - vulndb - Git at Google

 id: GO-2022-0211
 modules:
     - module: std
       versions:
         - fixed: 1.11.13
         - introduced: 1.12.0-0
           fixed: 1.12.8
       vulnerable_at: 1.12.7
       packages:
         - package: net/url
           symbols:
             - parseHost
             - URL.Hostname
             - URL.Port
 summary: Incorrect parsing validation in net/url
 description: |-
     The url.Parse function accepts URLs with malformed hosts, such that the Host
     field can have arbitrary suffixes that appear in neither Hostname() nor Port(),
     allowing authorization bypasses in certain applications.
 published: 2022-07-01T20:15:30Z
 cves:
     - CVE-2019-14809
 credits:
     - Julian Hector
     - Nikolai Krein from Cure53
     - Adi Cohen (adico.me)
 references:
     - fix: https://go.dev/cl/189258
     - fix: https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6
     - report: https://go.dev/issue/29098
     - web: https://groups.google.com/g/golang-announce/c/65QixT3tcmg
	id: GO-2022-0211
	modules:
	- module: std
	versions:
	- fixed: 1.11.13
	- introduced: 1.12.0-0
	fixed: 1.12.8
	vulnerable_at: 1.12.7
	packages:
	- package: net/url
	symbols:
	- parseHost
	- URL.Hostname
	- URL.Port
	summary: Incorrect parsing validation in net/url
	description: \|-
	The url.Parse function accepts URLs with malformed hosts, such that the Host
	field can have arbitrary suffixes that appear in neither Hostname() nor Port(),
	allowing authorization bypasses in certain applications.
	published: 2022-07-01T20:15:30Z
	cves:
	- CVE-2019-14809
	credits:
	- Julian Hector
	- Nikolai Krein from Cure53
	- Adi Cohen (adico.me)
	references:
	- fix: https://go.dev/cl/189258
	- fix: https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6
	- report: https://go.dev/issue/29098
	- web: https://groups.google.com/g/golang-announce/c/65QixT3tcmg