#VU20301 Input validation error in Go programming language - CVE-2019-14809


Vulnerability identifier: #VU20301

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-14809

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to incorrect processing of URLs in net/url, related to the Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. A remote attacker can create a crafted javascript:// URL that in certain situations can be used to bypass authorization checks for some applications. 

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.11.1 - 1.12.7

External links
https://github.com/golang/go/issues/29098
https://groups.google.com/forum/#!topic/golang-announce/0uuMm1BwpHE
https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Red Hat Developer Tools update for go-toolset
Red Hat update for go-toolset:rhel8
OpenSUSE Linux update for go1.12
OpenSUSE Linux update for go1.12
OpenSUSE Linux update for go1.11
OpenSUSE Linux update for go1.12
Arch Linux update for go
Arch Linux update for go-pie
OpenSUSE Linux update for go1.12
Security restrictions bypass in Google Go