CVE-2019-14809 — Improper Authorization in Handler for Custom URL Scheme in GO

CWE-939 — Improper Authorization in Handler for Custom URL Scheme9 documents6 sources

Severity

9.8CRITICALNVD

EPSS

2.6%

top 14.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Debian Linux

Timeline

PublishedAug 13

Latest updateJul 1

Description

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDgolang/go1.12.0 — 1.12.8+1

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Incorrect parsing validation in net/url↗2022-07-01

▶

GHSA

GHSA-2xf8-4fv6-m993: net/url in Go before 1↗2022-05-24

▶

OSV

CVE-2019-14809: net/url in Go before 1↗2019-08-13

▶

CVEList

CVE-2019-14809: net/url in Go before 1↗2019-08-13

▶

📋Vendor Advisories

Red Hat

golang: malformed hosts in URLs leads to authorization bypass↗2019-08-13

▶

💬Community

Bugzilla

CVE-2019-14809 golang: malformed hosts in URLs leads to authorization bypass↗2019-08-19

▶

Bugzilla

CVE-2019-14809 golang: malformed hosts in URLs leads to authorization bypass [fedora-all]↗2019-08-19

▶

Bugzilla

CVE-2019-14809 golang: malformed hosts in URLs leads to authorization bypass [epel-all]↗2019-08-19

▶