blob: 9cb0cd7b5b6aaac799e8c23f5975a646a119501c [file] [log] [blame]
id: GO-2022-0211
modules:
- module: std
versions:
- fixed: 1.11.13
- introduced: 1.12.0-0
- fixed: 1.12.8
vulnerable_at: 1.12.7
packages:
- package: net/url
symbols:
- parseHost
- URL.Hostname
- URL.Port
summary: Incorrect parsing validation in net/url
description: |-
The url.Parse function accepts URLs with malformed hosts, such that the Host
field can have arbitrary suffixes that appear in neither Hostname() nor Port(),
allowing authorization bypasses in certain applications.
published: 2022-07-01T20:15:30Z
cves:
- CVE-2019-14809
credits:
- Julian Hector
- Nikolai Krein from Cure53
- Adi Cohen (adico.me)
references:
- fix: https://go.dev/cl/189258
- fix: https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6
- report: https://go.dev/issue/29098
- web: https://groups.google.com/g/golang-announce/c/65QixT3tcmg
review_status: REVIEWED