CVE-2021-33195
published 2021-08-02CVE-2021-33195: Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an…
PriorityP341high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
3.23%
86.7th percentile
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.15 1.15.9-5 (bullseye) | golang-1.15 1.15.9-5 (bullseye) |
| golang | go | < 1.15.13 | 1.15.13 |
| golang | go | >= 1.16.0 < 1.16.5 | 1.16.5 |
| msrc | azl3_golang_1.23.7-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-2_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.3HIGH
vendor_debian7.3HIGH
vendor_msrc7.3HIGH
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-11-01·CVSS 9.8
CVE-2017-12424 [CRITICAL] PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-12424, CVE-2021-3114, CVE-2021-31525, CVE-2021-33195, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-36221, CVE-2021-4034, CVE-2021-44716, CVE-2021-44717, CVE-2022-1664, CVE-2022-1705, CVE-2022-23772, CVE-2022-24675, CVE-2022-24921, CVE-2022-28327, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30631, CVE-2022-30632, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41717, CVE-2022-41724, CVE-2022-41725, CVE-2023-24534, CVE-2023-24536, CVE-2023-24539, CVE-2023-29406, CVE-2023-29409, CVE-2023-39
Microsoft
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers and thus a return value may contain an unsafe injection (e.g. XSS) that does not
vendor_msrc·2021-08-10·CVSS 7.3
CVE-2021-33195 [HIGH] CWE-74 Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers and thus a return value may contain an unsafe injection (e.g. XSS) that does not
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers and thus a return value may contain an unsafe injection (e.g. XSS) that does not conform to the RFC1035 format.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is
Red Hat
golang: net: lookup functions may return invalid host names
vendor_redhat·2021-05-18·CVSS 7.3
CVE-2021-33195 [HIGH] CWE-20 golang: net: lookup functions may return invalid host names
golang: net: lookup functions may return invalid host names
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
A flaw was found in Go. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in the net package and methods on the Resolver type, may return arbitrary values retrieved from DNS, allowing injection of unexpected contents. The highest threat from this vulnerability is to integrity.
Statement: * Since OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.
* For Red Hat OpenStack P
Debian
CVE-2021-33195: golang-1.15 - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do...
vendor_debian·2021·CVSS 7.3
CVE-2021-33195 [HIGH] CVE-2021-33195: golang-1.15 - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do...
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
Scope: local
bullseye: resolved (fixed in 1.15.9-5)
GHSA
GHSA-xf7m-5vgf-jhv9: Go before 1
ghsa_unreviewed·2022-05-24
CVE-2021-33195 [HIGH] CWE-74 GHSA-xf7m-5vgf-jhv9: Go before 1
Go before 1.15.12 and 1.16.x before 1.16.5 allows injection.
OSV
Improper sanitization when resolving values from DNS in net
osv·2022-02-17
CVE-2021-33195 Improper sanitization when resolving values from DNS in net
Improper sanitization when resolving values from DNS in net
The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.
OSV
CVE-2021-33195: Go before 1
osv·2021-08-02·CVSS 7.3
CVE-2021-33195 [HIGH] CVE-2021-33195: Go before 1
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://groups.google.com/g/golang-announcehttps://groups.google.com/g/golang-announce/c/RgCMkAEQjSIhttps://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20210902-0005/https://groups.google.com/g/golang-announcehttps://groups.google.com/g/golang-announce/c/RgCMkAEQjSIhttps://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20210902-0005/
2021-08-02
Published