CVE-2021-33195
Aliases:GO-2021-0239BIT-golang-2021-33195
Advisory lineage Upstream: 0 Downstream: 25
Modified
Published: 02 Aug 2021, 18:51
Last modified:03 Aug 2024, 23:42
Vulnerability Summary
Overall Risk (default)
medium
40/100 CVSS Score
7.5 HIGH
v2.0 (nvd)
EPSS Score
0.03% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
02 Aug 2021, 18:51
Published
Vulnerability first disclosed
03 Aug 2024, 23:42
Last Modified
Vulnerability information updated
Description
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
CVSS Metrics
- v3.1•HIGH•Score: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 0.03%• Percentile: 9%
Techniques & Countermeasures
- CWE-74•Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Affected Systems
- golang•go
< 1.15.13 | ≥ 1.16.0, < 1.16.5
- Go•stdlib
≥ 1.16.0-0, < 1.16.5
- netapp•cloud_insights_telegraf_agent
na
References (7)
- https://groups.google.com/g/golang-announce
- https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
- https://security.netapp.com/advisory/ntap-20210902-0005/
- https://security.gentoo.org/glsa/202208-02
- https://go.dev/cl/320949
- https://go.googlesource.com/go/+/c89f1224a544cde464fcb86e78ebb0cc97eedba2
- https://go.dev/issue/46241