Archive Header Vulnerability in Go Programming Language
CVE-2021-39293

7.5HIGH

Key Information:

Vendor: Golang
Status: Go
Vendor: CVE Published:; 24 January 2022

What is CVE-2021-39293?

In versions of Go prior to 1.16.8 and 1.17.x before 1.17.1, a vulnerability in the archive/zip package can be exploited by providing a specially crafted archive header. This misleading header can falsely indicate the presence of numerous files, leading to a panic in NewReader or OpenReader functions. The issue arises from an incomplete fix related to a previous vulnerability, showcasing the need for comprehensive security measures. Developers and organizations relying on affected versions should prioritize upgrading to mitigate potential Denial of Service risks.

References

https://groups.google.com/g/golang-announce/c/dx9d7IOseHw

https://security.netapp.com/advisory/ntap-20220217-0009/

https://cert-portal.siemens.com/productcert/pdf/ssa-22254...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2022
Vulnerability Reserved
Aug 19, 2021

Golang

What is CVE-2021-39293?

References

CVSS V3.1

Timeline