CVE-2019-9741

CWE-93CWE-1139 documents7 sources
Severity
6.1MEDIUM
EPSS
3.3%
top 12.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Debian Debian LinuxFedoraproject FedoraGolang GO+2 more
Timeline
PublishedMar 13
Latest updateMay 13

Description

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDgolang/go1.11.5

Also affects: Debian Linux 8.0, 9.0, Fedora 29, Enterprise Linux 8.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-46v6-2c7g-7hfg: An issue was discovered in net/http in Go 12022-05-13
OSV
CVE-2019-9741: An issue was discovered in net/http in Go 12019-03-13
CVEList
CVE-2019-9741: An issue was discovered in net/http in Go 12019-03-13

📋Vendor Advisories

2
Red Hat
golang: CRLF injection in net/http2019-03-13
Microsoft
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter as demonstrated by the second argument to http.NewRequest with \r\n followed by an2019-03-12

💬Community

3
Bugzilla
CVE-2019-9741 golang: CRLF injection in net/http [epel-all]2019-03-13
Bugzilla
CVE-2019-9741 golang: CRLF injection in net/http2019-03-13
Bugzilla
CVE-2019-9741 golang: CRLF injection in net/http [fedora-all]2019-03-13
CVE-2019-9741 (MEDIUM CVSS 6.1) | An issue was discovered in net/http | cvebase.io