CVE-2017-15042

MEDIUM
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.

References

http://www.securityfocus.com/bid/101197

https://access.redhat.com/errata/RHSA-2017:3463

https://access.redhat.com/errata/RHSA-2018:0878

https://github.com/golang/go/issues/22134

https://golang.org/cl/68023

https://golang.org/cl/68210

https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ

https://security.gentoo.org/glsa/201710-23

Details

Source: MITRE

Published: 2017-10-05

Updated: 2019-10-03

Type: CWE-319

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 2.2

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* versions up to 1.8.3 (inclusive)

cpe:2.3:a:golang:go:1.9:*:*:*:*:*:*:*

Tenable Plugins

View all (11 total)

IDNameProductFamilySeverity
127229NewStart CGSL CORE 5.04 / MAIN 5.04 : golang Multiple Vulnerabilities (NS-SA-2019-0047)NessusNewStart CGSL Local Security Checks
critical
109690Amazon Linux 2 : golang (ALAS-2018-1011)NessusAmazon Linux Local Security Checks
critical
109448Scientific Linux Security Update : golang on SL7.x (noarch) (20180410)NessusScientific Linux Local Security Checks
critical
109376CentOS 7 : golang (CESA-2018:0878)NessusCentOS Local Security Checks
critical
108990RHEL 7 : golang (RHSA-2018:0878)NessusRed Hat Local Security Checks
critical
106006Fedora 27 : golang (2017-f4fc897e8f)NessusFedora Local Security Checks
critical
105367RHEL 7 : go-toolset-7 and go-toolset-7-golang (RHSA-2017:3463)NessusRed Hat Local Security Checks
critical
104392Amazon Linux AMI : golang (ALAS-2017-918)NessusAmazon Linux Local Security Checks
critical
104066GLSA-201710-23 : Go: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
103997Fedora 25 : golang (2017-8f7bca960b)NessusFedora Local Security Checks
critical
103899Fedora 26 : golang (2017-6f1b90dbb7)NessusFedora Local Security Checks
critical