CVE-2021-36221

Aliases:GO-2021-0245BIT-golang-2021-36221
Advisory lineage Upstream: 0 Downstream: 20
Modified
Published: 08 Aug 2021, 00:00
Last modified:04 Aug 2024, 00:54

Vulnerability Summary

Overall Risk (default)
low
24/100
CVSS Score
5.9 MEDIUM
v3.1 (nvd)
EPSS Score
0.23% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

08 Aug 2021, 00:00
Published
Vulnerability first disclosed
04 Aug 2024, 00:54
Last Modified
Vulnerability information updated

Description

Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.

CVSS Metrics

  • v3.1MEDIUMScore: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v2.0MEDIUMScore: 4.3AV:N/AC:M/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.23% Percentile: 46%

Techniques & Countermeasures

  • CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

    The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Affected Systems

  • debiandebian_linux

    9.0

  • fedoraprojectfedora

    33 | 34 | 35

  • golanggo

    < 1.15.15 | ≥ 1.16.0, < 1.16.7

  • Gostdlib

    ≥ 1.16.0-0, < 1.16.7

  • oracletimesten_in-memory_database

    < 21.1.1.1.0

  • siemensscalance_lpe9403_firmware

    < 2.0

References (15)