CVE-2017-15042
published 2017-10-05CVE-2017-15042: An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on…
PriorityP428medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
EPSS
1.10%
61.7th percentile
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| golang | go | <= 1.8.3 | — |
| golang | go | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_golang_1.18.8-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.7-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.1-2_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv5.9MEDIUM
vendor_msrc5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-crv5-fmcw-6rw4: An unintended cleartext issue exists in Go before 1
ghsa_unreviewed·2022-05-13
CVE-2017-15042 [MEDIUM] CWE-319 GHSA-crv5-fmcw-6rw4: An unintended cleartext issue exists in Go before 1
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
OSV
Cleartext transmission of credentials in net/smtp
osv·2022-01-07
CVE-2017-15042 Cleartext transmission of credentials in net/smtp
Cleartext transmission of credentials in net/smtp
SMTP clients using net/smtp can use the PLAIN authentication scheme on network connections not secured with TLS, exposing passwords to man-in-the-middle SMTP servers.
OSV
CVE-2017-15042: An unintended cleartext issue exists in Go before 1
osv·2017-10-05·CVSS 5.9
CVE-2017-15042 [MEDIUM] CVE-2017-15042: An unintended cleartext issue exists in Go before 1
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
Microsoft
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. Th
vendor_msrc·2017-10-10·CVSS 5.9
CVE-2017-15042 [MEDIUM] CWE-319 An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. Th
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits t
Red Hat
golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
vendor_redhat·2017-10-04·CVSS 5.9
CVE-2017-15042 [MEDIUM] CWE-300 golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
It was found that smtp.PlainAuth authentication scheme in Go did not verify the TLS requirement
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-15041 CVE-2017-15042 golang: various flaws [fedora-all]
bugzilla·2017-10-05·CVSS 9.8
CVE-2017-15041 [CRITICAL] CVE-2017-15041 CVE-2017-15042 golang: various flaws [fedora-all]
CVE-2017-15041 CVE-2017-15042 golang: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. W
Bugzilla
CVE-2017-15042 golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
bugzilla·2017-10-05·CVSS 5.9
CVE-2017-15042 [MEDIUM] CVE-2017-15042 golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
CVE-2017-15042 golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
It was found that smtp.PlainAuth scheme was vulnerable to man-in-the-middle attack. smtp.PlainAuth implementation would send the username and password to man-in-the-middle SMTP server that doesn’t advertise STARTTLS and does advertise that PLAIN auth is OK.
Upstream bug:
https://github.com/golang/go/issues/22134
Upstream patches:
Go 1.8: https://go-review.googlesource.com/c/go/+/68023
Go 1.9: https://go-review.googlesource.com/c/go/+/68210
Discussion:
Created golang tracking bugs for this issue:
Affects: epel-6 [bug 1498872]
Affects: fedora-all [bug 1498873]
---
github issue was updated to include CVE-2017-15042
---
This issue has been addressed in the following products:
Red Hat Develop
Bugzilla
CVE-2017-15041 CVE-2017-15042 golang: various flaws [epel-6]
bugzilla·2017-10-05·CVSS 9.8
CVE-2017-15041 [CRITICAL] CVE-2017-15041 CVE-2017-15042 golang: various flaws [epel-6]
CVE-2017-15041 CVE-2017-15042 golang: various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg update' reques
http://www.securityfocus.com/bid/101197https://access.redhat.com/errata/RHSA-2017:3463https://access.redhat.com/errata/RHSA-2018:0878https://github.com/golang/go/issues/22134https://golang.org/cl/68023https://golang.org/cl/68210https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJhttps://security.gentoo.org/glsa/201710-23http://www.securityfocus.com/bid/101197https://access.redhat.com/errata/RHSA-2017:3463https://access.redhat.com/errata/RHSA-2018:0878https://github.com/golang/go/issues/22134https://golang.org/cl/68023https://golang.org/cl/68210https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJhttps://security.gentoo.org/glsa/201710-23
2017-10-05
Published