CVE-2017-15042 — Cleartext Transmission of Sensitive Info in GO

CWE-319 — Cleartext Transmission of Sensitive Info CWE-300 — Channel Accessible by Non-Endpoint10 documents7 sources

Severity

5.9MEDIUMNVD

EPSS

0.2%

top 60.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO

Timeline

PublishedOct 5

Latest updateMay 13

Description

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't ad…

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages1 packages

▶NVDgolang/go1.8.3+1

Patches

Patch: github.com ↗Patch: golang.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-crv5-fmcw-6rw4: An unintended cleartext issue exists in Go before 1↗2022-05-13

▶

OSV

Cleartext transmission of credentials in net/smtp↗2022-01-07

▶

OSV

CVE-2017-15042: An unintended cleartext issue exists in Go before 1↗2017-10-05

▶

CVEList

CVE-2017-15042: An unintended cleartext issue exists in Go before 1↗2017-10-05

▶

📋Vendor Advisories

Microsoft

▶

Red Hat

golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting↗2017-10-04

▶

💬Community

Bugzilla

CVE-2017-15041 CVE-2017-15042 golang: various flaws [fedora-all]↗2017-10-05

▶

Bugzilla

CVE-2017-15042 golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting↗2017-10-05

▶

Bugzilla

CVE-2017-15041 CVE-2017-15042 golang: various flaws [epel-6]↗2017-10-05

▶