CVE-2019-14809

EPSS 2.5%

golang-1.11 - security update

發布日:2022/7/1修改日:2026/3/9

描述

The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.

受影響套件(2)

Debian/golang-1.11from 0, < 1.11.6-1+deb10u1
Go/stdlibfrom 0, < 1.11.13, >= 1.12.0-0, < 1.12.8

參考連結(4)

PATCHhttps://go.dev/cl/189258
PATCHhttps://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6
REPORThttps://go.dev/issue/29098
WEBhttps://groups.google.com/g/golang-announce/c/65QixT3tcmg