ASA-2019-00522 – Go: Multiple parsing issues in URL.Parse

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00522

Identifier(s)

ASA-2019-00522, CVE-2019-14809

Title

Multiple parsing issues in URL.Parse

Vendor(s)

The Go Authors

Product(s)

Go

Affected version(s)

All versions of Go

Fixed version(s)

Go versions 1.12.8 and 1.11.13

Proof of concept

Unknown

Description

url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.

Technical details

Unknown

Credits

Adi Cohen

Reference(s)

[security] Go 1.12.8 and Go 1.11.13 are released
https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ

net/url: URL.Parse Multiple Parsing Issues #29098
https://github.com/golang/go/issues/29098

CVE-2019-9514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514

CVE-2019-9514
https://nvd.nist.gov/vuln/detail/CVE-2019-9514

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 17, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.