Vulnerabilities > CVE-2019-9741 - CRLF Injection vulnerability in multiple products

CVSS 6.1 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

nessus

NVD

Published: 2019-03-13

Updated: 2023-11-07

Summary

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

Vulnerable Configurations

Part	Description	Count
Application	Golang Golang GO 1.11.5	1
Application	Redhat Redhat Developer Tools 1.0	1
OS	Debian Debian Debian Linux 8.0 Debian Debian Linux 9.0	2
OS	Fedoraproject Fedoraproject Fedora 29	1
OS	Redhat Redhat Enterprise Linux 8.0	1

Common Weakness Enumeration (CWE)

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Common Attack Pattern Enumeration and Classification (CAPEC)

Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
Web Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

Nessus

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2019-1238.NASL
description	An issue was discovered in net/http in Go. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. (CVE-2019-9741)
last seen	2020-06-01
modified	2020-06-02
plugin id	127066
published	2019-07-26
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127066
title	Amazon Linux AMI : golang (ALAS-2019-1238)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-1300.NASL
description	An update for go-toolset-1.11 and go-toolset-1.11-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The golang packages provide the Go programming language compiler. Security Fix(es) : * golang: CRLF injection in net/http (CVE-2019-9741) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	125711
published	2019-06-05
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125711
title	RHEL 7 : go-toolset-1.11-golang (RHSA-2019:1300)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-1519.NASL
description	An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The go-toolset:rhel8 module provides Go Toolset, a compiler toolset for building applications using the Go language and compiler suite. Security Fix(es) : * golang: CRLF injection in net/http (CVE-2019-9741) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
last seen	2020-05-23
modified	2019-06-19
plugin id	126028
published	2019-06-19
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/126028
title	RHEL 8 : go-toolset:rhel8 (RHSA-2019:1519)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1749.NASL
description	It was discovered that there was a CRLF injection attack in the Go programming language runtime library. Passing \r\n to http.NewRequest could allow execution of arbitrary HTTP headers or Redis commands. For Debian 8
last seen	2020-06-01
modified	2020-06-02
plugin id	123690
published	2019-04-04
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/123690
title	Debian DLA-1749-1 : golang security update

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2019-D05BC7E3DF.NASL
description	- Rebase to go1.11.6 - Security fix for CVE-2019-9741 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	123979
published	2019-04-11
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/123979
title	Fedora 29 : golang (2019-d05bc7e3df)

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2019-2_0-0168_GO.NASL
description	An update of the go package has been released.
last seen	2020-06-01
modified	2020-06-02
plugin id	128175
published	2019-08-26
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/128175
title	Photon OS 2.0: Go PHSA-2019-2.0-0168

Redhat

advisories

bugzilla

id	1688230
title	CVE-2019-9741 golang: CRLF injection in net/http

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 8 is installed
oval oval:com.redhat.rhba:tst:20193384074
comment Module go-toolset:rhel8 is enabled
oval oval:com.redhat.rhsa:tst:20191519017

AND

comment golang-race is earlier than 0:1.11.5-2.module+el8.0.0+3175+261ae921
oval oval:com.redhat.rhsa:tst:20191519001
comment golang-race is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20191519002

AND

comment golang-bin is earlier than 0:1.11.5-2.module+el8.0.0+3175+261ae921
oval oval:com.redhat.rhsa:tst:20191519003
comment golang-bin is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20161538002

AND

comment golang is earlier than 0:1.11.5-2.module+el8.0.0+3175+261ae921
oval oval:com.redhat.rhsa:tst:20191519005
comment golang is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20161538004

AND

comment go-toolset is earlier than 0:1.11.5-2.module+el8.0.0+3175+261ae921
oval oval:com.redhat.rhsa:tst:20191519007
comment go-toolset is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20191519008

AND

comment golang-tests is earlier than 0:1.11.5-2.module+el8.0.0+3175+261ae921
oval oval:com.redhat.rhsa:tst:20191519009
comment golang-tests is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20161538012

AND

comment golang-src is earlier than 0:1.11.5-2.module+el8.0.0+3175+261ae921
oval oval:com.redhat.rhsa:tst:20191519011
comment golang-src is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20161538008

AND

comment golang-misc is earlier than 0:1.11.5-2.module+el8.0.0+3175+261ae921
oval oval:com.redhat.rhsa:tst:20191519013
comment golang-misc is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20161538010

AND

comment golang-docs is earlier than 0:1.11.5-2.module+el8.0.0+3175+261ae921
oval oval:com.redhat.rhsa:tst:20191519015
comment golang-docs is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20161538006

rhsa

id	RHSA-2019:1519
released	2019-06-18
severity	Moderate
title	RHSA-2019:1519: go-toolset:rhel8 security update (Moderate)

rhsa
id RHSA-2019:1300

rpms

go-toolset-1.11-0:1.11.5-2.el7
go-toolset-1.11-build-0:1.11.5-2.el7
go-toolset-1.11-golang-0:1.11.5-3.el7
go-toolset-1.11-golang-bin-0:1.11.5-3.el7
go-toolset-1.11-golang-docs-0:1.11.5-3.el7
go-toolset-1.11-golang-misc-0:1.11.5-3.el7
go-toolset-1.11-golang-race-0:1.11.5-3.el7
go-toolset-1.11-golang-src-0:1.11.5-3.el7
go-toolset-1.11-golang-tests-0:1.11.5-3.el7
go-toolset-1.11-runtime-0:1.11.5-2.el7
go-toolset-1.11-scldevel-0:1.11.5-2.el7
go-toolset-0:1.11.5-2.module+el8.0.0+3175+261ae921
golang-0:1.11.5-2.module+el8.0.0+3175+261ae921
golang-bin-0:1.11.5-2.module+el8.0.0+3175+261ae921
golang-docs-0:1.11.5-2.module+el8.0.0+3175+261ae921
golang-misc-0:1.11.5-2.module+el8.0.0+3175+261ae921
golang-race-0:1.11.5-2.module+el8.0.0+3175+261ae921
golang-src-0:1.11.5-2.module+el8.0.0+3175+261ae921
golang-tests-0:1.11.5-2.module+el8.0.0+3175+261ae921

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Redhat

References