Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-33196

Опубликовано: 25 мая 2021
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.

A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files.

Отчет

  • In OpenShift Container Platform and OpenShift Service Mesh, multiple components are written in Go and use archive/zip from the standard library. However, all such components are short lived client side tools, not long lived server side executables. As the maximum impact of this vulnerability is a denial of service in client utilities, this vulnerability is rated Low for OpenShift Container Plaform and OpenShift Service Mesh.
  • Although OpenShift distributed tracing (formerly OpenShift Jaeger) components are compiled with a vulnerable version of Go, the vulnerable archive/zip package is currently not used by this product therefore these components are affected but with impact Low. Additionally only core OpenShift distributed tracing components have been listed.
  • Although Serverless does ship the affected package, it does not make use of the actual package and hence the impact is low.
  • Because Service Telemetry Framework1.2 will be retiring soon and the flaw's impact is lower, no update will be provided at this time for STF1.2's smart-gateway-container and sg-core-container.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift ServerlessCLIAffected
OpenShift Serverlessknative-eventingAffected
OpenShift Service Mesh 2.0servicemeshAffected
OpenShift Service Mesh 2.0servicemesh-grafanaAffected
OpenShift Service Mesh 2.0servicemesh-operatorWill not fix
OpenShift Service Mesh 2.0servicemesh-prometheusAffected
Red Hat Advanced Cluster Security 3roxAffected
Red Hat Ceph Storage 2golangOut of support scope
Red Hat Ceph Storage 2grafanaOut of support scope
Red Hat Ceph Storage 3golangOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1965503golang: archive/zip: malformed archive may cause panic or memory exhaustion

EPSS

Процентиль: 4%
0.0002
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-33196

CVSS3: 7.5
ubuntu
почти 4 года назад

In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.

nvd логотип

CVE-2021-33196

CVSS3: 7.5
nvd
почти 4 года назад

In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.

msrc логотип

CVE-2021-33196

CVSS3: 7.5
msrc
9 месяцев назад

Описание отсутствует

debian логотип

CVE-2021-33196

CVSS3: 7.5
debian
почти 4 года назад

In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafte ...

github логотип

GHSA-6r28-26q2-vxwj

CVSS3: 7.5
github
около 3 лет назад

Go before 1.15.12 and 1.16.x before 1.16.5 attempts to allocate excessive memory (issue 1 of 2).

EPSS

Процентиль: 4%
0.0002
Низкий

7.5 High

CVSS3