Lucene search

[email protected]CVE-2019-9741

HistoryMar 13, 2019 - 8:29 a.m.

CVE-2019-9741

2019-03-1308:29:00

CWE-93

[email protected]

web.nvd.nist.gov

cve-2019-9741

net/http

go 1.11.5

crlf injection

http header

redis command

nvd

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.3 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

75.7%

JSON

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

CPENameOperatorVersion
golang:gogolang goeq1.11.5
debian:debian_linuxdebian debian linuxeq8.0
debian:debian_linuxdebian debian linuxeq9.0
fedoraproject:fedorafedoraproject fedoraeq29
redhat:enterprise_linuxredhat enterprise linuxeq8.0
redhat:developer_toolsredhat developer toolseq1.0

CPE	Name	Operator	Version
golang:go	golang go	eq	1.11.5
debian:debian_linux	debian debian linux	eq	8.0
debian:debian_linux	debian debian linux	eq	9.0
fedoraproject:fedora	fedoraproject fedora	eq	29
redhat:enterprise_linux	redhat enterprise linux	eq	8.0
redhat:developer_tools	redhat developer tools	eq	1.0