data/osv/GO-2022-0211.json - vulndb - Git at Google

 {
   "id": "GO-2022-0211",
   "published": "2022-07-01T20:15:30Z",
   "modified": "0001-01-01T00:00:00Z",
   "aliases": [
     "CVE-2019-14809"
   ],
   "details": "The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.",
   "affected": [
     {
       "package": {
         "name": "stdlib",
         "ecosystem": "Go"
       },
       "ranges": [
         {
           "type": "SEMVER",
           "events": [
             {
               "introduced": "0"
             },
             {
               "fixed": "1.11.13"
             },
             {
               "introduced": "1.12.0"
             },
             {
               "fixed": "1.12.8"
             }
           ]
         }
       ],
       "database_specific": {
         "url": "https://pkg.go.dev/vuln/GO-2022-0211"
       },
       "ecosystem_specific": {
         "imports": [
           {
             "path": "net/url",
             "symbols": [
               "URL.Hostname",
               "URL.Port",
               "parseHost"
             ]
           }
         ]
       }
     }
   ],
   "references": [
     {
       "type": "FIX",
       "url": "https://go.dev/cl/189258"
     },
     {
       "type": "FIX",
       "url": "https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6"
     },
     {
       "type": "REPORT",
       "url": "https://go.dev/issue/29098"
     },
     {
       "type": "WEB",
       "url": "https://groups.google.com/g/golang-announce/c/65QixT3tcmg"
     }
   ],
   "credits": [
     {
       "name": "Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me)"
     }
   ],
   "schema_version": "1.3.1"
 }
	{
	"id": "GO-2022-0211",
	"published": "2022-07-01T20:15:30Z",
	"modified": "0001-01-01T00:00:00Z",
	"aliases": [
	"CVE-2019-14809"
	],
	"details": "The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.",
	"affected": [
	{
	"package": {
	"name": "stdlib",
	"ecosystem": "Go"
	},
	"ranges": [
	{
	"type": "SEMVER",
	"events": [
	{
	"introduced": "0"
	},
	{
	"fixed": "1.11.13"
	},
	{
	"introduced": "1.12.0"
	},
	{
	"fixed": "1.12.8"
	}
	]
	}
	],
	"database_specific": {
	"url": "https://pkg.go.dev/vuln/GO-2022-0211"
	},
	"ecosystem_specific": {
	"imports": [
	{
	"path": "net/url",
	"symbols": [
	"URL.Hostname",
	"URL.Port",
	"parseHost"
	]
	}
	]
	}
	}
	],
	"references": [
	{
	"type": "FIX",
	"url": "https://go.dev/cl/189258"
	},
	{
	"type": "FIX",
	"url": "https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6"
	},
	{
	"type": "REPORT",
	"url": "https://go.dev/issue/29098"
	},
	{
	"type": "WEB",
	"url": "https://groups.google.com/g/golang-announce/c/65QixT3tcmg"
	}
	],
	"credits": [
	{
	"name": "Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me)"
	}
	],
	"schema_version": "1.3.1"
	}