CVE-2019-14809
golang: malformed hosts in URLs leads to authorization bypass
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
net / url in Go antes del 1.11.13 y 1.12.x antes del 1.12.8 maneja mal los hosts mal formados en las URL, lo que lleva a una omisión de autorización en algunas aplicaciones. Esto está relacionado con un campo Host con un sufijo que no aparece en Hostname () ni Port (), y está relacionado con un número de puerto no numérico. Por ejemplo, un atacante puede componer un javascript creado: // URL que da como resultado un nombre de host de google.com.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-08-10 CVE Reserved
- 2019-08-13 CVE Published
- 2023-12-07 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-285: Improper Authorization
CAPEC
References (15)
URL | Tag | Source |
---|---|---|
https://groups.google.com/forum/#%21topic/golang-announce/0uuMm1BwpHE | X_refsource_misc | |
https://groups.google.com/forum/#%21topic/golang-announce/65QixT3tcmg | X_refsource_confirm | |
https://seclists.org/bugtraq/2019/Aug/31 | Mailing List |
URL | Date | SRC |
---|---|---|
https://github.com/golang/go/issues/29098 | 2024-08-05 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.11.13 Search vendor "Golang" for product "Go" and version " < 1.11.13" | - |
Affected
| ||||||
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.12.0 < 1.12.8 Search vendor "Golang" for product "Go" and version " >= 1.12.0 < 1.12.8" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
|