Vulnerability CVE-2019-14809


Published: 2019-08-13

Description:
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.

Type:

CWE-20

(Improper Input Validation)

Vendor: Debian
Product: Debian linux 
Version: 10.0;
Vendor: Golang
Product: GO 
Version:
1.9.7
1.9.6
1.9.5
1.9.4
1.9.3
1.9.2
1.9.1
1.9
1.8.7
1.8.6
1.8.5
1.8.4
1.8.3
1.8.2
1.8.1
1.8
1.7.6
1.7.5
1.7.4
1.7.3
1.7.2
1.7.1
1.7
1.6.4
1.6.3
1.6.2
1.6.1
1.6
1.5.4
1.5.3
1.5.2
1.5.1
1.5
1.4.3
1.4.2
1.4.1
1.4
1.3.3
1.3.2
1.3.1
1.3
1.2.2
1.2.1
1.2
1.12.7
1.12.6
1.12.5
1.12.4
1.12.3
1.12.2
1.12.1
1.12.0
1.11.9
1.11.8
1.11.7
1.11.6
1.11.5
1.11.4
1.11.3
1.11.2
1.11.12
1.11.11
1.11.10
1.11.1
1.11.0
1.10.7
1.10.6
1.10.5
1.10.4
1.10.3
1.10.2
1.10.1
1.10
1.1.2
1.1.1
1.0.3
1.0.2
1.0.1
1.0

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html
https://github.com/golang/go/issues/29098
https://groups.google.com/forum/#!topic/golang-announce/0uuMm1BwpHE
https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg
https://seclists.org/bugtraq/2019/Aug/31
https://www.debian.org/security/2019/dsa-4503

Related CVE
CVE-2019-16276
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
CVE-2019-11841
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain...
CVE-2019-11888
Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.
CVE-2019-9741
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
CVE-2019-9634
Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection.
CVE-2019-6486
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
CVE-2018-16875
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers ...
CVE-2018-16874
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only v...

Copyright 2019, cxsecurity.com

 

Back to Top