{"id":"GO-2022-0211","summary":"Incorrect parsing validation in net/url","details":"The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.","aliases":["CVE-2019-14809"],"modified":"2024-05-20T16:03:47Z","published":"2022-07-01T20:15:30Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2022-0211"},"references":[{"type":"FIX","url":"https://go.dev/cl/189258"},{"type":"FIX","url":"https://go.googlesource.com/go/+/61bb56ad63992a3199acc55b2537c8355ef887b6"},{"type":"REPORT","url":"https://go.dev/issue/29098"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/65QixT3tcmg"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.11.13"},{"introduced":"1.12.0-0"},{"fixed":"1.12.8"}]}],"ecosystem_specific":{"imports":[{"symbols":["URL.Hostname","URL.Port","parseHost"],"path":"net/url"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0211.json"}}],"schema_version":"1.7.3","credits":[{"name":"Julian Hector"},{"name":"Nikolai Krein from Cure53"},{"name":"Adi Cohen (adico.me)"}]}