CVE-2021-41772
published 2021-11-08CVE-2021-41772: Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
3.05%
85.9th percentile
Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| golang | go | < 1.16.10 | 1.16.10 |
| golang | go | >= 1.17.0 < 1.17.3 | 1.17.3 |
| msrc | azl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-2_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_golang_1.17.8-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_golang_1.16.10-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8rv2-6fw3-rxjg: Go before 1
ghsa_unreviewed·2022-05-24
CVE-2021-41772 [MEDIUM] CWE-20 GHSA-8rv2-6fw3-rxjg: Go before 1
Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
OSV
Panic when opening certain archives in archive/zip
osv·2022-01-13
CVE-2021-41772 Panic when opening certain archives in archive/zip
Panic when opening certain archives in archive/zip
Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or ".." path elements.
Open could also panic if passed the empty string directly as an argument.
Now, any files in the zip whose name could not be made valid for fs.FS.Open will be skipped, and no longer added to the fs.FS file list, although they are still accessible through (*Reader).File.
Note that it was already the case that a file could be accessible from (*Reader).Open with a name different from the one in (*Reader).File, as the former is the cleaned name, while the latter is the original one.
Finally, the actual panic site was made robust as a defense-in-depth measure.
OSV
CVE-2021-41772: Go before 1
osv·2021-11-08·CVSS 7.5
CVE-2021-41772 [HIGH] CVE-2021-41772: Go before 1
Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
CISA ICS
Siemens Brownfield Connectivity Gateway
cisa_ics·2023-02-16·CVSS 7.5
[HIGH] Siemens Brownfield Connectivity Gateway
ICS Advisory
##
Siemens Brownfield Connectivity Gateway
Release DateFebruary 16, 2023
Alert CodeICSA-23-047-04
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Brownfield Connectivity—Gateway
- Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Uncontrolled Resource Consumption, Exposure of Resource to Wrong S
Microsoft
Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
vendor_msrc·2021-11-09·CVSS 7.5
CVE-2021-41772 [HIGH] CWE-20 Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Marin
Red Hat
golang: archive/zip: Reader.Open panics on empty string
vendor_redhat·2021-08-30·CVSS 7.5
CVE-2021-41772 [HIGH] CWE-73 golang: archive/zip: Reader.Open panics on empty string
golang: archive/zip: Reader.Open panics on empty string
Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument.
Statement: * In OpenShift Container Platform multiple components are written in Go and use archive/zip from the standard library. However, all such components are short lived client side tools, not long lived server side executables. As the maximum impact of this vulnerability is a denial of serv
Debian
CVE-2021-41772: golang-1.15 - Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open pan...
vendor_debian·2021·CVSS 7.5
CVE-2021-41772 [HIGH] CVE-2021-41772: golang-1.15 - Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open pan...
Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.
Scope: local
bullseye: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdfhttps://groups.google.com/g/golang-announce/c/0fM21h43archttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/https://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20211210-0003/https://www.oracle.com/security-alerts/cpujul2022.htmlhttps://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdfhttps://groups.google.com/g/golang-announce/c/0fM21h43archttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/https://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20211210-0003/https://www.oracle.com/security-alerts/cpujul2022.html
2021-11-08
Published