CVE-2019-14809

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.11.13 Go versions 1.12.x prior to 1.12.8

Description The issue is related to the net/url function in Go, which mishandles malformed hosts in URLs. This can lead to an authorization bypass in some applications. The vulnerability is associated with a Host field that has a suffix appearing in neither Hostname() nor Port(), and is also related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. The exploitation of this issue may allow a remote attacker to impact data integrity, gain unauthorized access to protected information, and cause a denial of service.

Recommendations For Go versions prior to 1.11.13, update to version 1.11.13 or later. For Go versions 1.12.x prior to 1.12.8, update to version 1.12.8 or later. As a temporary workaround, consider restricting the use of the url.Parse function to minimize the risk of exploitation. Avoid using URLs with malformed hosts in the affected applications until the issue is resolved.