Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-41772

Опубликовано: 30 авг. 2021
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.

A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument.

Отчет

  • In OpenShift Container Platform multiple components are written in Go and use archive/zip from the standard library. However, all such components are short lived client side tools, not long lived server side executables. As the maximum impact of this vulnerability is a denial of service in client utilities, this vulnerability is rated Low for OpenShift Container Platform.
  • Because Service Telemetry Framework1.2 will be retiring soon and the flaw's impact is lower, no update will be provided at this time for STF1.2's sg-core-container.
  • Because Red Hat Ceph Storage only uses Go's archive/zip for the Grafana CLI and thus is not directly exploitable, the vulnerability has been rated low for Red Hat Ceph Storage.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift ServerlessCLIAffected
OpenShift Serverlessknative-eventingAffected
OpenShift Service Mesh 2.0servicemeshWill not fix
OpenShift Service Mesh 2.0servicemesh-grafanaWill not fix
OpenShift Service Mesh 2.1servicemeshAffected
OpenShift Service Mesh 2.1servicemesh-grafanaAffected
Red Hat Advanced Cluster Security 3advanced-cluster-security/rhacs-main-rhel8Affected
Red Hat Advanced Cluster Security 3advanced-cluster-security/rhacs-scanner-rhel8Affected
Red Hat Ceph Storage 2golangOut of support scope
Red Hat Ceph Storage 2grafanaOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20
Дефект:
CWE-125
https://bugzilla.redhat.com/show_bug.cgi?id=2020736golang: archive/zip: Reader.Open panics on empty string

EPSS

Процентиль: 20%
0.00062
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-41772

CVSS3: 7.5
ubuntu
больше 3 лет назад

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.

nvd логотип

CVE-2021-41772

CVSS3: 7.5
nvd
больше 3 лет назад

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.

msrc логотип

CVE-2021-41772

CVSS3: 7.5
msrc
больше 3 лет назад

Описание отсутствует

debian логотип

CVE-2021-41772

CVSS3: 7.5
debian
больше 3 лет назад

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reade ...

github логотип

GHSA-8rv2-6fw3-rxjg

CVSS3: 7.5
github
около 3 лет назад

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.

EPSS

Процентиль: 20%
0.00062
Низкий

7.5 High

CVSS3