PT-2021-17668 · Google+6 · Go+6

Sam Whited

Published

2021-02-19

Updated

2024-06-15

CVE-2021-27918

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: Go versions prior to 1.15.9 Go versions 1.16.x prior to 1.16.1

Description: The issue arises when a custom TokenReader for xml.NewTokenDecoder returns EOF in the middle of an element, potentially causing an infinite loop in the Decode, DecodeElement, or Skip method of an xml.Decoder. This can occur when operating on a custom xml.TokenReader.

Recommendations: For Go versions prior to 1.15.9, update to version 1.15.9 or later to resolve the issue. For Go versions 1.16.x prior to 1.16.1, update to version 1.16.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of custom TokenReaders that may return EOF in the middle of an element until a patch is applied.

Exploit

Fix

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835

Related Identifiers

ALT-PU-2021-1376

ALT-PU-2021-1470

ALT-PU-2021-1482

ALT-PU-2021-1941

AZL-79104

BIT-GOLANG-2021-27918

CESA-2021_3076

CVE-2021-27918

GO-2021-0234

MGASA-2021-0369

OESA-2021-1184

OPENSUSE-SU-2021:0480-1

OPENSUSE-SU-2021_0480-1

OPENSUSE-SU-2024:10808-1

OPENSUSE-SU-2024:10809-1

RHSA-2021:2704

RHSA-2021:3076

RHSA-2021:3555

RHSA-2021_3076

RLSA-2021:3076

SUSE-SU-2021:0937-1

SUSE-SU-2021:0938-1

SUSE-SU-2021_0937-1

SUSE-SU-2021_0938-1

Affected Products

Alt Linux

Astra Linux

Centos

Red Hat

Rocky Linux

Suse

PT-2021-17668 · Google+6 · Go+6

CVE-2021-27918

Weakness Enumeration

Related Identifiers

Affected Products

References · 65