CVE-2021-33194
First published: Thu May 20 2021(Updated: )
A flaw was found in golang. An attacker can craft an input to ParseFragment within parse.go that would cause it to enter an infinite loop and never return. The greatest threat to the system is of availability.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/golang.org/x/net v0.0.0-20210520170846 | <37 | 37 |
| go/golang.org/x/net | <0.0.0-20210520170846-37e1c6afe023 | 0.0.0-20210520170846-37e1c6afe023 |
| IBM Data Virtualization on Cloud Pak for Data | <=3.0 | |
| IBM Watson Query with Cloud Pak for Data | <=2.2 | |
| IBM Watson Query with Cloud Pak for Data | <=2.1 | |
| IBM Watson Query with Cloud Pak for Data | <=2.0 | |
| IBM Data Virtualization on Cloud Pak for Data | <=1.8 | |
| IBM Data Virtualization on Cloud Pak for Data | <=1.7 | |
| Golang | <=1.15.12 | |
| Golang | >=1.16.0<=1.16.4 | |
| Fedora | =36 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-33194 https://nvd.nist.gov/vuln/detail/CVE-2021-33194 https://groups.google.com/g/golang-dev/c/28x0nthP-c8/m/KqWVTjsnBAAJ
- https://bugzilla.redhat.com/show_bug.cgi?id=1963232
- https://access.redhat.com/errata/RHSA-2021:4627
- https://access.redhat.com/errata/RHSA-2021:2438
- https://access.redhat.com/errata/RHSA-2021:3759
- https://access.redhat.com/security/cve/CVE-2021-33194
- https://github.com/golang/go/issues/46288
- https://groups.google.com/g/golang-dev/c/28x0nthP-c8/m/KqWVTjsnBAAJ
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1963235
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1963233
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1963234
- https://go-review.googlesource.com/c/net/+/311090/
- https://access.redhat.com/security/cve/cve-2021-33194
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1963232#c25
- https://nvd.nist.gov/vuln/detail/CVE-2021-33194
- https://github.com/golang/net/commit/37e1c6afe02340126705deced573a85ab75209d7
- https://groups.google.com/g/golang-announce/c/wPunbCPkWUg
- https://go.dev/cl/311090
- https://go.dev/issue/46288
- https://go.googlesource.com/net/+/37e1c6afe02340126705deced573a85ab75209d7
- https://pkg.go.dev/vuln/GO-2021-0238
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM
- https://github.com/advisories/GHSA-83g2-8m93-v3w7 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/
- https://www.ibm.com/support/pages/node/7183851 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-33194?
CVE-2021-33194 has a high severity rating due to its impact on system availability.
How do I fix CVE-2021-33194?
To fix CVE-2021-33194, upgrade to golang.org/x/net version 0.0.0-20210520170846-37e1c6afe023 or later.
Which software is affected by CVE-2021-33194?
CVE-2021-33194 affects versions of Go and golang.org/x/net up to 1.15.12 and certain versions between 1.16.0 and 1.16.4.
What type of vulnerability is CVE-2021-33194?
CVE-2021-33194 is a denial of service vulnerability due to an infinite loop in the ParseFragment function.
Can CVE-2021-33194 be exploited remotely?
Yes, CVE-2021-33194 can be exploited remotely by crafting specific inputs to the ParseFragment function.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-33194
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-83g2-8m93-v3w7
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/author
- agent/last-modified-date
- agent/references
- agent/source
- agent/description
- agent/event
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/go
- vendor/ibm
- canonical/ibm data virtualization on cloud pak for data
- version/ibm data virtualization on cloud pak for data/3.0
- canonical/ibm watson query with cloud pak for data
- version/ibm watson query with cloud pak for data/2.2
- version/ibm watson query with cloud pak for data/2.1
- version/ibm watson query with cloud pak for data/2.0
- version/ibm data virtualization on cloud pak for data/1.8
- version/ibm data virtualization on cloud pak for data/1.7
- vendor/golang
- canonical/golang
- version/golang/1.15.12
- version/golang/1.16.0
- version/golang/1.16.4
- vendor/fedoraproject
- canonical/fedora
- version/fedora/36