CVE-2019-14809
EUVD-2019-593813.08.2019, 21:15
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| golang | go | 𝑥 < 1.11.13 |
| golang | go | 1.12.0 ≤ 𝑥 < 1.12.8 |
| debian | debian_linux | 10.0 |
𝑥
= Vulnerable software versions
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| golang |
| ||||||||||||||||||||||||||||
| golang-1.10 |
| ||||||||||||||||||||||||||||
| golang-1.11 |
| ||||||||||||||||||||||||||||
| golang-1.12 |
| ||||||||||||||||||||||||||||
| golang-1.6 |
| ||||||||||||||||||||||||||||
| golang-1.7 |
| ||||||||||||||||||||||||||||
| golang-1.8 |
| ||||||||||||||||||||||||||||
| golang-1.9 |
|
References