data/reports/GO-2022-0211.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.11.13
       - introduced: 1.12.0
         fixed: 1.12.8
     vulnerable_at: 1.12.7
     packages:
       - package: net/url
         symbols:
           - parseHost
           - URL.Hostname
           - URL.Port
 description: |
     The url.Parse function accepts URLs with malformed hosts, such that the Host
     field can have arbitrary suffixes that appear in neither Hostname() nor Port(),
     allowing authorization bypasses in certain applications.
 published: 2022-07-01T20:15:30Z
 cves:
   - CVE-2019-14809
 credit: Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me)
 references:
   - fix: https://go.dev/cl/189258
   - fix: https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6
   - report: https://go.dev/issue/29098
   - web: https://groups.google.com/g/golang-announce/c/65QixT3tcmg
	modules:
	- module: std
	versions:
	- fixed: 1.11.13
	- introduced: 1.12.0
	fixed: 1.12.8
	vulnerable_at: 1.12.7
	packages:
	- package: net/url
	symbols:
	- parseHost
	- URL.Hostname
	- URL.Port
	description: \|
	The url.Parse function accepts URLs with malformed hosts, such that the Host
	field can have arbitrary suffixes that appear in neither Hostname() nor Port(),
	allowing authorization bypasses in certain applications.
	published: 2022-07-01T20:15:30Z
	cves:
	- CVE-2019-14809
	credit: Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me)
	references:
	- fix: https://go.dev/cl/189258
	- fix: https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6
	- report: https://go.dev/issue/29098
	- web: https://groups.google.com/g/golang-announce/c/65QixT3tcmg