CVE-2019-9741

Public on 2019-07-17
Modified on 2019-07-25
Description
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
Severity
Medium
CVSS v3 Base Score
5.3
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 golang 2019-07-17 23:28 ALAS-2019-1238

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
NVD CVSSv2 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
NVD CVSSv3 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N