CVE-2019-9741
Advisory lineage Upstream: 0 Downstream: 6
Modified
Published: 13 Mar 2019, 06:00
Last modified:04 Aug 2024, 22:01
Vulnerability Summary
Overall Risk (default)
medium
35/100 CVSS Score
6.1 MEDIUM
v3.1 (nvd)
EPSS Score
3.34% LOW
3% probability -0.13%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
13 Mar 2019, 06:00
Published
Vulnerability first disclosed
04 Aug 2024, 22:01
Last Modified
Vulnerability information updated
Description
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS Trends
Current EPSS score: 3.34%• Percentile: 88%
Techniques & Countermeasures
- CWE-93•Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Affected Systems
- debian•debian_linux
8.0 | 9.0
- fedoraproject•fedora
29
- golang•go
1.11.5
- redhat•developer_tools
1.0
- redhat•enterprise_linux
8.0
References (8)
- https://github.com/golang/go/issues/30794
- http://www.securityfocus.com/bid/107432
- https://lists.debian.org/debian-lts-announce/2019/04/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOOVCEPQM7TZA6VEZEEB7QZABXNHQEHH/
- https://access.redhat.com/errata/RHSA-2019:1300
- https://access.redhat.com/errata/RHSA-2019:1519
- https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
- https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html