GO-2022-0211

See a problem?

Source

https://pkg.go.dev/vuln/GO-2022-0211

Import Source

https://vuln.go.dev/ID/GO-2022-0211.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0211

Aliases

CVE-2019-14809

Published

2022-07-01T20:15:30Z

Modified

2024-05-20T16:03:47Z

Summary

Incorrect parsing validation in net/url

Details

The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.

References

Credits

- Julian Hector
- Nikolai Krein from Cure53
- Adi Cohen (adico.me)

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.11.13

Introduced

1.12.0-0

Fixed

1.12.8

Ecosystem specific

{
    "imports": [
        {
            "path": "net/url",
            "symbols": [
                "URL.Hostname",
                "URL.Port",
                "parseHost"
            ]
        }
    ]
}