reports/GO-2022-0211.yaml - vulndb - Git at Google

 packages:
   - module: std
     package: net/url
     symbols:
       - parseHost
       - URL.Hostname
       - URL.Port
     versions:
       - fixed: 1.11.13
       - introduced: 1.12.0
         fixed: 1.12.8
     vulnerable_at: 1.12.7
 description: |
     The url.Parse function accepts URLs with malformed hosts, such that the Host
     field can have arbitrary suffixes that appear in neither Hostname() nor Port(),
     allowing authorization bypasses in certain applications.
 cves:
   - CVE-2019-14809
 credit: Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me)
 links:
     pr: https://go.dev/cl/189258
     commit: https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6
     context:
       - https://go.dev/issue/29098
       - https://groups.google.com/g/golang-announce/c/65QixT3tcmg
	packages:
	- module: std
	package: net/url
	symbols:
	- parseHost
	- URL.Hostname
	- URL.Port
	versions:
	- fixed: 1.11.13
	- introduced: 1.12.0
	fixed: 1.12.8
	vulnerable_at: 1.12.7
	description: \|
	The url.Parse function accepts URLs with malformed hosts, such that the Host
	field can have arbitrary suffixes that appear in neither Hostname() nor Port(),
	allowing authorization bypasses in certain applications.
	cves:
	- CVE-2019-14809
	credit: Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me)
	links:
	pr: https://go.dev/cl/189258
	commit: https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6
	context:
	- https://go.dev/issue/29098
	- https://groups.google.com/g/golang-announce/c/65QixT3tcmg