CVE-2021-27919
published 2021-03-11CVE-2021-27919: archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in…
PriorityP421medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
1.52%
71.4th percentile
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| golang | go | >= 1.16.0 < 1.16.1 | 1.16.1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.5MEDIUM
vendor_debian5.5LOW
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v7gg-6p99-5jxq: archive/zip in Go 1
ghsa_unreviewed·2022-05-24
CVE-2021-27919 [MEDIUM] GHSA-v7gg-6p99-5jxq: archive/zip in Go 1
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
OSV
Panic when opening archives in archive/zip
osv·2021-04-14
CVE-2021-27919 Panic when opening archives in archive/zip
Panic when opening archives in archive/zip
Using Reader.Open on an archive containing a file with a path prefixed by "../" will cause a panic due to a stack overflow. If parsing user supplied archives, this may be used as a denial of service vector.
OSV
CVE-2021-27919: archive/zip in Go 1
osv·2021-03-11·CVSS 5.5
CVE-2021-27919 [MEDIUM] CVE-2021-27919: archive/zip in Go 1
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
Red Hat
golang: archive/zip: panic when calling Reader.Open
vendor_redhat·2021-03-10·CVSS 5.5
CVE-2021-27919 [MEDIUM] CWE-125 golang: archive/zip: panic when calling Reader.Open
golang: archive/zip: panic when calling Reader.Open
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
An out of bounds read vulnerability was found in golang. When using the archive/zip standard library (stdlib) and an unexpected file is parsed, it can cause golang to attempt to read outside of a slice (array) causing a panic in the runtime. A potential attacker can use this vulnerability to craft an archive which causes an application using this library to crash resulting in a Denial of Service (DoS).
Package: CLI (OpenShift Serverless) - Not affected
Package: knative-eventing (OpenShift Serverless) - Not affected
Package: knativ
Debian
CVE-2021-27919: golang-1.15 - archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of ser...
vendor_debian·2021·CVSS 5.5
CVE-2021-27919 [MEDIUM] CVE-2021-27919: golang-1.15 - archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of ser...
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
Scope: local
bullseye: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://groups.google.com/g/golang-announce/c/MfiLYjG-RAwhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/https://security.gentoo.org/glsa/202208-02https://groups.google.com/g/golang-announce/c/MfiLYjG-RAwhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/https://security.gentoo.org/glsa/202208-02
2021-03-11
Published