Panic in Go Archive Reader Due to Crafted File Count
CVE-2021-33196

7.5HIGH

Key Information:

Vendor: Golang
Status: Go
Vendor: CVE Published:; 2 August 2021

What is CVE-2021-33196?

A vulnerability exists in the Go programming language's archive/zip package, specifically impacting versions prior to 1.15.13 and those in the 1.16.x series before 1.16.5. A specially crafted file count in the archive's header can lead to a panic when invoking the NewReader or OpenReader functions. This behavior can potentially be exploited by malicious actors, allowing them to disrupt application stability or trigger unexpected behavior during file processing. Users are advised to update to the latest versions to mitigate risks.

References

https://groups.google.com/g/golang-announce

https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI

https://lists.debian.org/debian-lts-announce/2022/01/msg0...

mailing-list

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 2, 2021
Vulnerability Reserved
May 19, 2021

Golang

What is CVE-2021-33196?

References

CVSS V3.1

Timeline