blob: 137715b91ab9e18a5d2915094df0be1de26f3182 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2022-0211",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-07-01T20:15:30Z",
"aliases": [
"CVE-2019-14809"
],
"summary": "Incorrect parsing validation in net/url",
"details": "The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.13"
},
{
"introduced": "1.12.0-0"
},
{
"fixed": "1.12.8"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net/url",
"symbols": [
"URL.Hostname",
"URL.Port",
"parseHost"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/189258"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/29098"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/65QixT3tcmg"
}
],
"credits": [
{
"name": "Julian Hector"
},
{
"name": "Nikolai Krein from Cure53"
},
{
"name": "Adi Cohen (adico.me)"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0211",
"review_status": "REVIEWED"
}
}