CVE-2021-36221

CWE-362 — Race Condition8 documents7 sources

Severity

5.9MEDIUM

EPSS

0.2%

top 54.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Oracle Timesten In-memory Database Siemens Scalance Lpe9403 Firmware +2 more

Timeline

PublishedAug 8

Latest updateMay 24

Description

Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶Gostdlib1.16.0-0 — 1.16.7+1

▶NVDgolang/go1.16.0 — 1.16.7+1

▶NVDsiemens/scalance_lpe9403_firmware< 2.0

▶NVDoracle/timesten_in-memory_database< 21.1.1.1.0

▶Debiangolang-1.15< 1.15.15-1~deb11u1

Also affects: Debian Linux 9.0, Fedora 33, 34, 35

Patches

Patch: cert-portal.siemens.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

GHSA

GHSA-6qcx-qr4g-4fx9: Go before 1↗2022-05-24

▶

OSV

Panic in ReverseProxy in net/http/httputil↗2022-02-17

▶

OSV

CVE-2021-36221: Go before 1↗2021-08-08

▶

CVEList

CVE-2021-36221: Go before 1↗2021-08-08

▶

📋Vendor Advisories

Microsoft

Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.↗2021-08-10

▶

Red Hat

golang: net/http/httputil: panic due to racy read of persistConn after handler panic↗2021-08-05

▶

Debian

CVE-2021-36221: golang-1.15 - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to...↗2021

▶