CVE-2019-9741 — MEDIUM (6.1)

Vulnerability Description

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Golang	Go	1.11.5
Debian	Debian Linux	8.0
Fedoraproject	Fedora	29
Redhat	Developer Tools	1.0
Redhat	Enterprise Linux	8.0

Related Weaknesses (CWE)

CWE-93

References

http://www.securityfocus.com/bid/107432Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:1300Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1519Third Party Advisory
https://github.com/golang/go/issues/30794ExploitPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00007.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
http://www.securityfocus.com/bid/107432Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:1300Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1519Third Party Advisory
https://github.com/golang/go/issues/30794ExploitPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00007.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2019-9741?

CVE-2019-9741 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by a...

How severe is CVE-2019-9741?

CVE-2019-9741 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-9741?

Check the references section above for vendor advisories and patch information. Affected products include: Golang Go, Debian Debian Linux, Fedoraproject Fedora, Redhat Developer Tools, Redhat Enterprise Linux.