CVE-2021-39293
published 2022-01-24CVE-2021-39293: In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
6.93%
93.3th percentile
In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.15 1.15.15-1~deb11u1 (bullseye) | golang-1.15 1.15.15-1~deb11u1 (bullseye) |
| golang | go | < 1.16.8 | 1.16.8 |
| golang | go | >= 1.17.0 < 1.17.1 | 1.17.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Panic due to crafted inputs in archive/zip
osv·2022-05-18·CVSS 7.5
CVE-2021-39293 [HIGH] Panic due to crafted inputs in archive/zip
Panic due to crafted inputs in archive/zip
The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is caused by an incomplete fix for CVE-2021-33196.
GHSA
GHSA-j532-8pqq-78jr: In archive/zip in Go before 1
ghsa_unreviewed·2022-01-25·CVSS 7.5
CVE-2021-39293 [HIGH] CWE-770 GHSA-j532-8pqq-78jr: In archive/zip in Go before 1
In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.
OSV
CVE-2021-39293: In archive/zip in Go before 1
osv·2022-01-24·CVSS 7.5
CVE-2021-39293 [HIGH] CVE-2021-39293: In archive/zip in Go before 1
In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.
CISA ICS
Siemens SCALANCE LPE9403 Third-Party Vulnerabilities
cisa_ics·2022-06-16·CVSS 9.8
[CRITICAL] Siemens SCALANCE LPE9403 Third-Party Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE LPE9403 Third-Party Vulnerabilities
Last RevisedJune 16, 2022
Alert CodeICSA-22-167-09
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely, low attack complexity
- Vendor: Siemens
- Equipment: SCALANCE LPE9403
- Vulnerabilities: Multiple
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could cause crashes and unrestricted file access, impacting the product’s confidentiality, integrity, and availability.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of SCALANCE LPE9403 (Local Processing
Red Hat
golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196)
vendor_redhat·2021-08-18·CVSS 7.5
CVE-2021-39293 [HIGH] CWE-400 golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196)
golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196)
In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. An attacker capable of submitting a crafted ZIP file to a Go application using archive/zip to process that file could cause a denial of service via memory exhaustion or panic. This particular flaw is an incomplete fix for a previous flaw.
Statement: * In Op
Debian
CVE-2021-39293: golang-1.15 - In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive h...
vendor_debian·2021·CVSS 7.5
CVE-2021-39293 [HIGH] CVE-2021-39293: golang-1.15 - In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive h...
In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.
Scope: local
bullseye: resolved (fixed in 1.15.15-1~deb11u1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdfhttps://groups.google.com/g/golang-announce/c/dx9d7IOseHwhttps://lists.debian.org/debian-lts-announce/2023/04/msg00021.htmlhttps://security.netapp.com/advisory/ntap-20220217-0009/https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdfhttps://groups.google.com/g/golang-announce/c/dx9d7IOseHwhttps://lists.debian.org/debian-lts-announce/2023/04/msg00021.htmlhttps://security.netapp.com/advisory/ntap-20220217-0009/
2022-01-24
Published