CVE-2021-39293
First published: Mon Sep 20 2021(Updated: )
Golang Go is vulnerable to a denial of service, caused by a flaw in the NewReader and OpenReader functions in archive/zip. By sending a specially-crafted archive header, a remote attacker could exploit this vulnerability to cause a panic, which results in a denial of service.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Golang Go | <1.16.8 | |
| Golang Go | >=1.17.0<1.17.1 | |
| Netapp Cloud Insights Telegraf | ||
| IBM Cloud Pak for Security | <=1.10.0.0 - 1.10.11.0 | |
| IBM QRadar Suite Software | <=1.10.12.0 - 1.10.16.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/220196
- https://www.ibm.com/support/pages/node/7080058 (Advisory)
- https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf
- https://groups.google.com/g/golang-announce/c/dx9d7IOseHw
- https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
- https://security.netapp.com/advisory/ntap-20220217-0009/
- https://access.redhat.com/security/cve/CVE-2021-33196
- https://github.com/golang/go/issues/47801
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2006045
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2006047
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2006046
- https://github.com/golang/go/commit/bacbc33439b124ffd7392c91a5f5d96eca8c0c0b
- https://github.com/golang/go/commit/1dd24caf08985066b309af6bc461780c73e05c35
- https://github.com/golang/go/commit/6c480017ae600b2c90a264a922e041df04dfa785
- https://access.redhat.com/errata/RHSA-2021:4902
- https://access.redhat.com/errata/RHSA-2022:0432
- https://access.redhat.com/errata/RHSA-2022:0434
- https://access.redhat.com/errata/RHSA-2022:0655
- https://access.redhat.com/errata/RHSA-2022:1819
- https://access.redhat.com/errata/RHSA-2022:4814
- https://bugzilla.redhat.com/show_bug.cgi?id=2006044
Frequently Asked Questions
What is CVE-2021-39293?
CVE-2021-39293 is a vulnerability in Go that can be exploited by a remote attacker to cause a denial of service.
How does CVE-2021-39293 impact Go?
CVE-2021-39293 can lead to a panic, resulting in a denial of service in Go.
What software versions are affected by CVE-2021-39293?
Go versions up to 1.16.8 and versions up to 1.17.1 are affected by CVE-2021-39293.
How can I fix the CVE-2021-39293 vulnerability in Go?
To fix the CVE-2021-39293 vulnerability in Go, update to version 1.16.8 or 1.17.1.
Is there any additional information available about CVE-2021-39293?
Yes, you can find more information about CVE-2021-39293 in the references provided: [Reference 1](https://access.redhat.com/security/cve/CVE-2021-33196), [Reference 2](https://groups.google.com/g/golang-announce/c/dx9d7IOseHw), [Reference 3](https://github.com/golang/go/issues/47801).
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-39293
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/ibm-support
- source/IBM
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/golang
- canonical/golang go
- version/golang go/1.17.0
- vendor/netapp
- canonical/netapp cloud insights telegraf
- package-manager/redhat
- vendor/ibm
- canonical/ibm cloud pak for security
- version/ibm cloud pak for security/1.10.0.0 - 1.10.11.0
- canonical/ibm qradar suite software
- version/ibm qradar suite software/1.10.12.0 - 1.10.16.0