CVE-2019-9741

MEDIUM

Go 1.11.5 - CRLF Injection

Title source: llm

Description

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

References (8)

[Exploit, Patch, Third Party Advisory] https://github.com/golang/go/issues/30794

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/107432

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/04/msg00007.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOOVCEPQM7TZA6VEZEEB7QZABXNHQEHH/

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1300

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1519

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html

Scores

CVSS v3 6.1

EPSS 0.0334

EPSS Percentile 87.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-93

Status published

Products (6)

debian/debian_linux 8.0

debian/debian_linux 9.0

fedoraproject/fedora 29

golang/go 1.11.5

redhat/developer_tools 1.0

redhat/enterprise_linux 8.0

Published Mar 13, 2019

Tracked Since Feb 18, 2026