CVE-2019-14809
golang-1.11 - security update
EPSS 2.5%
Description
The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.
How to fix CVE-2019-14809
To remediate CVE-2019-14809, upgrade the affected package to a fixed version below.
- Debian/golang-1.11—upgrade to 1.11.6-1+deb10u1 or later
- Go/stdlib—upgrade to 1.11.13 or later
Is CVE-2019-14809 being exploited?
Low — EPSS is 2.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.11.6-1+deb10u1
- from 0, < 1.11.13, >= 1.12.0-0, < 1.12.8