Panic in Go Archive Reader Due to Crafted File Count
CVE-2021-33196

7.5HIGH

Key Information:

Vendor

Golang

Status
Go
Vendor
CVE Published:
2 August 2021

What is CVE-2021-33196?

A vulnerability exists in the Go programming language's archive/zip package, specifically impacting versions prior to 1.15.13 and those in the 1.16.x series before 1.16.5. A specially crafted file count in the archive's header can lead to a panic when invoking the NewReader or OpenReader functions. This behavior can potentially be exploited by malicious actors, allowing them to disrupt application stability or trigger unexpected behavior during file processing. Users are advised to update to the latest versions to mitigate risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://groups.google.com/g/golang-announce
https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
https://lists.debian.org/debian-lts-announce/2022/01/msg0...
mailing-list

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.