data/osv/GO-2022-0211.json - vulndb - Git at Google

 {
   "schema_version": "1.3.1",
   "id": "GO-2022-0211",
   "modified": "0001-01-01T00:00:00Z",
   "published": "2022-07-01T20:15:30Z",
   "aliases": [
     "CVE-2019-14809"
   ],
   "details": "The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.",
   "affected": [
     {
       "package": {
         "name": "stdlib",
         "ecosystem": "Go"
       },
       "ranges": [
         {
           "type": "SEMVER",
           "events": [
             {
               "introduced": "0"
             },
             {
               "fixed": "1.11.13"
             },
             {
               "introduced": "1.12.0-0"
             },
             {
               "fixed": "1.12.8"
             }
           ]
         }
       ],
       "ecosystem_specific": {
         "imports": [
           {
             "path": "net/url",
             "symbols": [
               "URL.Hostname",
               "URL.Port",
               "parseHost"
             ]
           }
         ]
       }
     }
   ],
   "references": [
     {
       "type": "FIX",
       "url": "https://go.dev/cl/189258"
     },
     {
       "type": "FIX",
       "url": "https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6"
     },
     {
       "type": "REPORT",
       "url": "https://go.dev/issue/29098"
     },
     {
       "type": "WEB",
       "url": "https://groups.google.com/g/golang-announce/c/65QixT3tcmg"
     }
   ],
   "credits": [
     {
       "name": "Julian Hector"
     },
     {
       "name": "Nikolai Krein from Cure53"
     },
     {
       "name": "Adi Cohen (adico.me)"
     }
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2022-0211"
   }
 }
	{
	"schema_version": "1.3.1",
	"id": "GO-2022-0211",
	"modified": "0001-01-01T00:00:00Z",
	"published": "2022-07-01T20:15:30Z",
	"aliases": [
	"CVE-2019-14809"
	],
	"details": "The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.",
	"affected": [
	{
	"package": {
	"name": "stdlib",
	"ecosystem": "Go"
	},
	"ranges": [
	{
	"type": "SEMVER",
	"events": [
	{
	"introduced": "0"
	},
	{
	"fixed": "1.11.13"
	},
	{
	"introduced": "1.12.0-0"
	},
	{
	"fixed": "1.12.8"
	}
	]
	}
	],
	"ecosystem_specific": {
	"imports": [
	{
	"path": "net/url",
	"symbols": [
	"URL.Hostname",
	"URL.Port",
	"parseHost"
	]
	}
	]
	}
	}
	],
	"references": [
	{
	"type": "FIX",
	"url": "https://go.dev/cl/189258"
	},
	{
	"type": "FIX",
	"url": "https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6"
	},
	{
	"type": "REPORT",
	"url": "https://go.dev/issue/29098"
	},
	{
	"type": "WEB",
	"url": "https://groups.google.com/g/golang-announce/c/65QixT3tcmg"
	}
	],
	"credits": [
	{
	"name": "Julian Hector"
	},
	{
	"name": "Nikolai Krein from Cure53"
	},
	{
	"name": "Adi Cohen (adico.me)"
	}
	],
	"database_specific": {
	"url": "https://pkg.go.dev/vuln/GO-2022-0211"
	}
	}