GO-2022-0211

Source
https://pkg.go.dev/vuln/GO-2022-0211
Import Source
https://vuln.go.dev/ID/GO-2022-0211.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0211
Aliases
Published
2022-07-01T20:15:30Z
Modified
2024-05-20T16:03:47Z
Summary
Incorrect parsing validation in net/url
Details

The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0211"
}
References
Credits
    • Julian Hector
    • Nikolai Krein from Cure53
    • Adi Cohen (adico.me)

Affected packages

Go / stdlib

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.11.13
Introduced
1.12.0-0
Fixed
1.12.8

Ecosystem specific

{
    "imports": [
        {
            "path": "net/url",
            "symbols": [
                "URL.Hostname",
                "URL.Port",
                "parseHost"
            ]
        }
    ]
}