CVE-2017-15042
First published: Thu Oct 05 2017(Updated: )
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/golang | <1.8.4 | 1.8.4 |
| redhat/golang | <1.9.1 | 1.9.1 |
| Golang | <=1.8.3 | |
| Golang | =1.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/101197
- https://access.redhat.com/errata/RHSA-2017:3463
- https://access.redhat.com/errata/RHSA-2018:0878
- https://github.com/golang/go/issues/22134
- https://golang.org/cl/68023
- https://golang.org/cl/68210
- https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
- https://security.gentoo.org/glsa/201710-23
- https://go-review.googlesource.com/c/go/+/68023
- https://go-review.googlesource.com/c/go/+/68210
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1498872
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1498873
- https://access.redhat.com/security/cve/CVE-2017-15042
- https://bugzilla.redhat.com/show_bug.cgi?id=1498867
Frequently Asked Questions
What is the severity of CVE-2017-15042?
CVE-2017-15042 has a medium severity rating due to potential exposure of plaintext credentials.
How do I fix CVE-2017-15042?
To fix CVE-2017-15042, upgrade to Go version 1.8.4 or 1.9.1 or later.
Which versions of Go are affected by CVE-2017-15042?
CVE-2017-15042 affects Go versions prior to 1.8.4 and 1.9.x prior to 1.9.1.
What is the impact of CVE-2017-15042?
The impact of CVE-2017-15042 is that it allows sensitive user credentials to be transmitted in cleartext over SMTP connections.
What is the nature of the vulnerability in CVE-2017-15042?
CVE-2017-15042 is a cleartext credential exposure vulnerability that violates RFC 4954 requirements for SMTP PLAIN authentication.
- agent/references
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-15042
- agent/software-canonical-lookup
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/golang
- canonical/golang
- version/golang/1.8.3
- version/golang/1.9