CVE-2021-27919

Опубликовано: 10 мар. 2021

Источник: redhat

CVSS3: 5.5

EPSS Низкий

Описание

archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.

An out of bounds read vulnerability was found in golang. When using the archive/zip standard library (stdlib) and an unexpected file is parsed, it can cause golang to attempt to read outside of a slice (array) causing a panic in the runtime. A potential attacker can use this vulnerability to craft an archive which causes an application using this library to crash resulting in a Denial of Service (DoS).

Затронутые пакеты

Платформа	Пакет	Состояние
OpenShift Serverless	CLI	Not affected
OpenShift Serverless	knative-eventing	Not affected
OpenShift Serverless	knative-serving	Not affected
OpenShift Service Mesh 2.0	servicemesh	Not affected
OpenShift Service Mesh 2.0	servicemesh-grafana	Not affected
Red Hat Ceph Storage 2	golang	Out of support scope
Red Hat Ceph Storage 2	grafana	Out of support scope
Red Hat Ceph Storage 3	golang	Not affected
Red Hat Ceph Storage 3	golang-github-prometheus-node_exporter	Not affected
Red Hat Ceph Storage 3	grafana	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-20

Дефект:

CWE-125

https://bugzilla.redhat.com/show_bug.cgi?id=1937909golang: archive/zip: panic when calling Reader.Open

EPSS

Процентиль: 33%

0.00132

Низкий

5.5 Medium

CVSS3

Связанные уязвимости

CVE-2021-27919

CVSS3: 5.5

ubuntu

почти 5 лет назад

CVE-2021-27919

CVSS3: 5.5

nvd

почти 5 лет назад

CVE-2021-27919

CVSS3: 5.5

debian

почти 5 лет назад

archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a den ...

GHSA-v7gg-6p99-5jxq

CVSS3: 5.5

github

больше 3 лет назад

SUSE-SU-2021:0937-1

suse-cvrf

почти 5 лет назад

Security update for go1.16

EPSS

Процентиль: 33%

0.00132

Низкий

5.5 Medium

CVSS3