CVE-2019-14809

CRITICAL

Go <1.11.13, 1.12.x <1.12.8 - Auth Bypass

Title source: llm
STIX 2.1

Description

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.

References (13)

Core 13
Core References
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/golang/go/issues/29098
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Aug/31
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4503
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3433

Scores

CVSS v3 9.8
EPSS 0.0258
EPSS Percentile 85.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (2)
debian/debian_linux 10.0
golang/go < 1.11.13
Published Aug 13, 2019
Tracked Since Feb 18, 2026