Lucene search

[email protected]CVE-2019-14809

HistoryAug 13, 2019 - 9:15 p.m.

CVE-2019-14809

2019-08-1321:15:00

NVD-CWE-noinfo

[email protected]

web.nvd.nist.gov

167

In Wild

cve-2019-14809

net/url

authorization bypass

security vulnerability

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.037 Low

EPSS

Percentile

91.7%

JSON

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.

CPENameOperatorVersion
golang:gogolang golt1.11.13
golang:gogolang golt1.12.8
debian:debian_linuxdebian debian linuxeq10.0

CPE	Name	Operator	Version
golang:go	golang go	lt	1.11.13
golang:go	golang go	lt	1.12.8
debian:debian_linux	debian debian linux	eq	10.0

References

lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html

lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html

lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html

lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html

lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html

access.redhat.com/errata/RHSA-2019:3433

github.com/golang/go/issues/29098

groups.google.com/forum/#%21topic/golang-announce/0uuMm1BwpHE

groups.google.com/forum/#%21topic/golang-announce/65QixT3tcmg

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/

seclists.org/bugtraq/2019/Aug/31

www.debian.org/security/2019/dsa-4503

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.037 Low

EPSS

Percentile

91.7%

JSON

Related for CVE-2019-14809

nessus25 redhatcve1 debiancve1 ubuntucve1 oraclelinux1 openvas13 osv3 ibm1 redhat1 alpinelinux1 amazon2 attackerkb1 prion1 veracode1 archlinux2 suse5 altlinux1 fedora5 mageia1 debian1 photon6