5.9

CVE-2017-15042

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GolangGo Version <= 1.8.3
GolangGo Version1.9
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.11% 0.615
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

https://access.redhat.com/errata/RHSA-2017:3463
https://access.redhat.com/errata/RHSA-2018:0878
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
Vendor Advisory
Mailing List
https://security.gentoo.org/glsa/201710-23
Third Party Advisory
http://www.securityfocus.com/bid/101197
Third Party Advisory
VDB Entry
https://github.com/golang/go/issues/22134
Patch
Vendor Advisory
Issue Tracking
https://golang.org/cl/68023
Patch
Vendor Advisory
Issue Tracking
https://golang.org/cl/68210
Vendor Advisory