CVE-2019-14809
moderate-risk
Published 2019-08-13
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
Do I need to act?
~
2.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: b2967c0e5c5271bb4469e1f615fb85879ebd8a57, 306a74284eb261acb34ce7f70962f357906a2759
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (2)
References (26)
Mailing List
https://seclists.org/bugtraq/2019/Aug/31
Third Party Advisory
https://www.debian.org/security/2019/dsa-4503
and 6 more references
45
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
6/34 · Minimal
Exposure
7/34 · Low