Allele Security Alert
ASA-2019-00522
Identifier(s)
ASA-2019-00522, CVE-2019-14809
Title
Multiple parsing issues in URL.Parse
Vendor(s)
The Go Authors
Product(s)
Go
Affected version(s)
All versions of Go
Fixed version(s)
Go versions 1.12.8 and 1.11.13
Proof of concept
Unknown
Description
url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.
Technical details
Unknown
Credits
Adi Cohen
Reference(s)
[security] Go 1.12.8 and Go 1.11.13 are released
https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ
net/url: URL.Parse Multiple Parsing Issues #29098
https://github.com/golang/go/issues/29098
CVE-2019-9514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
CVE-2019-9514
https://nvd.nist.gov/vuln/detail/CVE-2019-9514
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 17, 2019