Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-14809

Опубликовано: 13 авг. 2019
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.

Меры по смягчению последствий

This flaw has no mitigation for any affected golang package versions.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ceph Storage 2golangAffected
Red Hat Ceph Storage 3golangAffected
Red Hat Enterprise Linux 7golangWill not fix
Red Hat OpenStack Platform 9 (Mitaka) Operational ToolsgolangOut of support scope
Red Hat Storage 3golangAffected
Red Hat Developer Toolsgo-toolset-1.12FixedRHEA-2019:417910.12.2019
Red Hat Developer Toolsgo-toolset-1.12-golangFixedRHEA-2019:417910.12.2019
Red Hat Enterprise Linux 8go-toolsetFixedRHSA-2019:343305.11.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20->CWE-285
https://bugzilla.redhat.com/show_bug.cgi?id=1743129golang: malformed hosts in URLs leads to authorization bypass

EPSS

Процентиль: 85%
0.02582
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-14809

CVSS3: 9.8
ubuntu
больше 6 лет назад

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.

nvd логотип

CVE-2019-14809

CVSS3: 9.8
nvd
больше 6 лет назад

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.

debian логотип

CVE-2019-14809

CVSS3: 9.8
debian
больше 6 лет назад

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malfo ...

github логотип

GHSA-2xf8-4fv6-m993

github
больше 3 лет назад

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.

oracle-oval логотип

ELSA-2019-3433

oracle-oval
около 6 лет назад

ELSA-2019-3433: go-toolset:ol8 security, bug fix, and enhancement update (MODERATE)

EPSS

Процентиль: 85%
0.02582
Низкий

7.5 High

CVSS3