CVE-2021-33197: Input Validation
First published: Fri May 21 2021(Updated: )
A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openshift-serverless-clients | <0:0.23.2-1.el8 | 0:0.23.2-1.el8 |
| redhat/go-toolset | <1.15-golang-0:1.15.14-2.el7_9 | 1.15-golang-0:1.15.14-2.el7_9 |
| redhat/grafana | <0:7.5.9-4.el8 | 0:7.5.9-4.el8 |
| redhat/podman | <2:4.2.0-3.el9 | 2:4.2.0-3.el9 |
| redhat/buildah | <1:1.27.0-2.el9 | 1:1.27.0-2.el9 |
| redhat/ignition | <0:2.6.0-8.rhaos4.6.git947598e.el8 | 0:2.6.0-8.rhaos4.6.git947598e.el8 |
| redhat/atomic-openshift-service-idler | <0:4.7.0-202107291238.p0.git.39cfc66.assembly.stream.el8 | 0:4.7.0-202107291238.p0.git.39cfc66.assembly.stream.el8 |
| redhat/cri-o | <0:1.20.4-7.rhaos4.7.git6287500.el7 | 0:1.20.4-7.rhaos4.7.git6287500.el7 |
| redhat/ignition | <0:2.9.0-4.rhaos4.7.git1d56dc8.el8 | 0:2.9.0-4.rhaos4.7.git1d56dc8.el8 |
| redhat/openshift | <0:4.7.0-202107292242.p0.git.558d959.assembly.stream.el7 | 0:4.7.0-202107292242.p0.git.558d959.assembly.stream.el7 |
| redhat/openshift-clients | <0:4.7.0-202107292242.p0.git.8b4b094.assembly.stream.el8 | 0:4.7.0-202107292242.p0.git.8b4b094.assembly.stream.el8 |
| redhat/redhat-release-coreos | <0:47.84-1.el8 | 0:47.84-1.el8 |
| redhat/cri-o | <0:1.21.2-8.rhaos4.8.git8d4264e.el7 | 0:1.21.2-8.rhaos4.8.git8d4264e.el7 |
| redhat/ignition | <0:2.9.0-7.rhaos4.8.el8 | 0:2.9.0-7.rhaos4.8.el8 |
| redhat/openshift | <0:4.8.0-202107300027.p0.git.38b3ecc.assembly.stream.el7 | 0:4.8.0-202107300027.p0.git.38b3ecc.assembly.stream.el7 |
| redhat/openshift-clients | <0:4.8.0-202107292313.p0.git.1077b05.assembly.stream.el7 | 0:4.8.0-202107292313.p0.git.1077b05.assembly.stream.el7 |
| redhat/containernetworking-plugins | <0:0.8.6-3.rhaos4.6.el7 | 0:0.8.6-3.rhaos4.6.el7 |
| redhat/cri-tools | <0:1.21.0-3.el8 | 0:1.21.0-3.el8 |
| redhat/golang-github-prometheus-promu | <0:0.5.0-4.git642a960.el8 | 0:0.5.0-4.git642a960.el8 |
| redhat/butane | <0:0.12.1-2.rhaos4.8.el8 | 0:0.12.1-2.rhaos4.8.el8 |
| redhat/mcg | <0:5.9.0-28.61dcf87.5.9.el8 | 0:5.9.0-28.61dcf87.5.9.el8 |
| redhat/etcd | <0:3.3.23-3.1.el8 | 0:3.3.23-3.1.el8 |
| redhat/kubevirt | <0:2.6.10-230.el7 | 0:2.6.10-230.el7 |
| redhat/kubevirt | <0:4.8.5-278.el7 | 0:4.8.5-278.el7 |
| redhat/kubevirt | <0:2.6.10-230.el8 | 0:2.6.10-230.el8 |
| redhat/kubevirt | <0:4.8.5-278.el8 | 0:4.8.5-278.el8 |
| Golang Go | <1.15.13 | |
| Golang Go | >=1.16.0<1.16.5 | |
| redhat/go | <1.16.5 | 1.16.5 |
| redhat/go | <1.15.13 | 1.15.13 |
| IBM Security Guardium Insights | <=3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-33197 https://nvd.nist.gov/vuln/detail/CVE-2021-33197 https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
- https://bugzilla.redhat.com/show_bug.cgi?id=1989570
- https://access.redhat.com/errata/RHSA-2021:3556
- https://access.redhat.com/errata/RHSA-2021:3555
- https://access.redhat.com/errata/RHSA-2021:3431
- https://access.redhat.com/errata/RHSA-2021:4156
- https://access.redhat.com/errata/RHSA-2021:4226
- https://access.redhat.com/errata/RHSA-2022:7954
- https://access.redhat.com/errata/RHSA-2022:8008
- https://access.redhat.com/errata/RHSA-2021:3361
- https://access.redhat.com/errata/RHSA-2022:0577
- https://access.redhat.com/errata/RHSA-2021:3009
- https://access.redhat.com/errata/RHBA-2021:2979
- https://access.redhat.com/errata/RHSA-2021:2984
- https://access.redhat.com/errata/RHSA-2021:3248
- https://access.redhat.com/errata/RHSA-2021:2983
- https://access.redhat.com/errata/RHSA-2021:3820
- https://access.redhat.com/errata/RHSA-2021:3759
- https://access.redhat.com/errata/RHSA-2021:5085
- https://access.redhat.com/errata/RHSA-2021:5086
- https://access.redhat.com/errata/RHSA-2021:5072
- https://access.redhat.com/errata/RHSA-2021:3487
- https://access.redhat.com/errata/RHSA-2021:3146
- https://access.redhat.com/errata/RHSA-2022:1402
- https://access.redhat.com/errata/RHSA-2022:1329
- https://access.redhat.com/errata/RHSA-2022:0947
- https://access.redhat.com/errata/RHSA-2021:4104
- https://access.redhat.com/errata/RHSA-2022:0191
- https://access.redhat.com/security/cve/cve-2021-33197
- https://groups.google.com/g/golang-announce
- https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
- https://security.gentoo.org/glsa/202208-02
- https://github.com/golang/go/issues/46313
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1989574
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1989571
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1989573
- https://access.redhat.com/errata/RHSA-2021:3229
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1995785
- https://access.redhat.com/errata/RHSA-2021:3598
- https://exchange.xforce.ibmcloud.com/vulnerabilities/206603
- https://www.ibm.com/support/pages/node/6550866 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
- RHSA-2021:3556
- RHSA-2021:3555
- RHSA-2021:3431
- RHSA-2021:4156
- RHSA-2021:4226
- RHSA-2022:7954
- RHSA-2022:8008
- RHSA-2021:3361
- RHSA-2022:0577
- RHSA-2021:3009
- RHBA-2021:2979
- RHSA-2021:2984
- RHSA-2021:3248
- RHSA-2021:2983
- RHSA-2021:3820
- RHSA-2021:3759
- RHSA-2021:5085
- RHSA-2021:5086
- RHSA-2021:5072
- RHSA-2021:3487
- RHSA-2021:3146
- RHSA-2022:1402
- RHSA-2022:1329
- RHSA-2022:0947
- RHSA-2021:4104
- RHSA-2022:0191
- IBM-6550866
Frequently Asked Questions
What is CVE-2021-33197?
CVE-2021-33197 is a vulnerability in Go that allows a remote attacker to bypass security restrictions.
How does CVE-2021-33197 affect Golang Go?
CVE-2021-33197 affects Golang Go versions before 1.15.13 and 1.16.x before 1.16.5.
What is the severity of CVE-2021-33197?
CVE-2021-33197 has a severity rating of 7.5 (high).
How can an attacker exploit CVE-2021-33197?
An attacker can exploit CVE-2021-33197 by sending a specially-crafted request to drop arbitrary headers.
What is the remedy for CVE-2021-33197?
To fix CVE-2021-33197, update your Golang Go installation to version 1.15.13 or 1.16.5.
- collector/redhat-cve
- collector/nvd-index
- agent/first-publish-date
- agent/type
- agent/remedy
- agent/author
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-33197
- agent/software-canonical-lookup
- agent/event
- agent/description
- collector/ibm-support
- source/IBM
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/golang
- canonical/golang go
- version/golang go/1.16.0
- vendor/ibm
- canonical/ibm security guardium insights
- version/ibm security guardium insights/3.0