CVE-2021-33195 — Injection in GO

CWE-74 — Injection CWE-20 — Improper Input Validation9 documents8 sources

Severity

7.3HIGHNVD

EPSS

0.0%

top 90.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Paloalto Pan-os

Timeline

PublishedAug 2

Latest updateNov 1

Description

Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages2 packages

▶NVDgolang/go1.16.0 — 1.16.5+1

▶Palo Altopaloalto/pan-os

Patches

Patch: groups.google.com ↗Patch: groups.google.com ↗

🔴Vulnerability Details

GHSA

GHSA-xf7m-5vgf-jhv9: Go before 1↗2022-05-24

▶

OSV

Improper sanitization when resolving values from DNS in net↗2022-02-17

▶

OSV

CVE-2021-33195: Go before 1↗2021-08-02

▶

CVEList

CVE-2021-33195: Go before 1↗2021-08-02

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-11-01

▶

Microsoft

Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers and thus a return value may contain an unsafe injection (e.g. XSS) that does not ↗2021-08-10

▶

Red Hat

golang: net: lookup functions may return invalid host names↗2021-05-18

▶

Debian

CVE-2021-33195: golang-1.15 - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do...↗2021

▶