x/vulndb: add reports/GO-2022-0211.yaml for CVE-2019-14809
Fixes golang/vulndb#0211
Change-Id: Ib460c640cea4b022e378dcec383f176059a1af10
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/415277
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/reports/GO-2022-0211.yaml b/reports/GO-2022-0211.yaml
new file mode 100644
index 0000000..597f115
--- /dev/null
+++ b/reports/GO-2022-0211.yaml
@@ -0,0 +1,25 @@
+packages:
+ - module: std
+ package: net/url
+ symbols:
+ - parseHost
+ - URL.Hostname
+ - URL.Port
+ versions:
+ - fixed: 1.11.13
+ - introduced: 1.12.0
+ fixed: 1.12.8
+ vulnerable_at: 1.12.7
+description: |
+ The url.Parse function accepts URLs with malformed hosts, such that the Host
+ field can have arbitrary suffixes that appear in neither Hostname() nor Port(),
+ allowing authorization bypasses in certain applications.
+cves:
+ - CVE-2019-14809
+credit: Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me)
+links:
+ pr: https://go.dev/cl/189258
+ commit: https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6
+ context:
+ - https://go.dev/issue/29098
+ - https://groups.google.com/g/golang-announce/c/65QixT3tcmg
