Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.9
CVSSv3

CVE-2017-15042

Published: 05/10/2017 Updated: 03/10/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Subscribe to Go

Vulnerability Summary

An unintended cleartext issue exists in Go prior to 1.8.4 and 1.9.x prior to 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

golang go 1.9

golang go

Vendor Advisories

Red Hat: Moderate: go-toolset-7 and go-toolset-7-golang security and bug fix update
Synopsis Moderate: go-toolset-7 and go-toolset-7-golang security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for go-toolset-7 and go-toolset-7-golang is now available for Red Hat Developer ToolsRed Hat Product Security has rated this update as having a security impact of Mo ...
Red Hat: Moderate: golang security, bug fix, and enhancement update
Synopsis Moderate: golang security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for golang is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Syst ...
Amazon Linux AMI: ALAS-2017-918
Arbitrary code execution during go get or go get -d:Go before 184 and 19x before 191 allows "go get" remote command execution Using custom domains, it is possible to arrange things so that examplecom/pkg1 points to a Subversion repository but examplecom/pkg1/pkg2 points to a Git repository If the Subversion repository includes a Git check ...
Red Hat: CVE-2017-15042
It was found that smtpPlainAuth authentication scheme in Go did not verify the TLS requirement properly A remote man-in-the-middle attacker could potentially use this flaw to sniff SMTP credentials sent by a Go application ...
Amazon Linux 2: ALAS2-2018-1011
Arbitrary code execution during go get or go get -dGo before 184 and 19x before 191 allows "go get" remote command execution Using custom domains, it is possible to arrange things so that examplecom/pkg1 points to a Subversion repository but examplecom/pkg1/pkg2 points to a Git repository If the Subversion repository includes a Git checko ...

References

CWE-319https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJhttps://golang.org/cl/68210https://golang.org/cl/68023https://github.com/golang/go/issues/22134http://www.securityfocus.com/bid/101197https://security.gentoo.org/glsa/201710-23https://access.redhat.com/errata/RHSA-2017:3463https://access.redhat.com/errata/RHSA-2018:0878https://nvd.nist.govhttps://access.redhat.com/errata/RHSA-2017:3463https://alas.aws.amazon.com/ALAS-2017-918.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977IMAPlocal usersCVE-2024-32038CVE-2023-49963CVE-2023-22869CVE-2024-31497localCVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook