An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with rn followed by an HTTP header or a Redis command.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741
Reference (s):
- BID:107432
- URL: http://www.securityfocus.com/bid/107432
- FEDORA:FEDORA-2019-d05bc7e3df
- URL: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TOOVCEPQM7TZA6VEZEEB7QZABXNHQEHH/
- https://github.com/golang/go/issues/30794