PT-2022-10892 · Go+6 · Go+6

Emmanuel Odeke

Published

2021-09-13

Updated

2024-06-15

CVE-2021-39293

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.16.8 Go versions 1.17.x prior to 1.17.1

Description The issue arises from a crafted archive header that falsely designates a large number of files, causing the NewReader or OpenReader functions in archive/zip to panic. This is due to an incomplete fix for a previous issue. The NewReader and OpenReader functions can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size.

Recommendations For Go versions prior to 1.16.8, update to version 1.16.8 or later. For Go versions 1.17.x prior to 1.17.1, update to version 1.17.1 or later. As a temporary workaround, consider restricting the use of the NewReader and OpenReader functions in archive/zip until a patch is available.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

ALSA-2022:1819

ALT-PU-2021-2786

ALT-PU-2021-2983

ALT-PU-2021-3222

ALT-PU-2021-3540

ALT-PU-2022-1243

ALT-PU-2022-2873

BIT-GOLANG-2021-39293

CESA-2022_1819

CVE-2021-39293

DLA-2891-1

DLA-2892-1

DLA-3395-1

DLA-3395-2

GO-2022-0273

MGASA-2021-0475

OESA-2022-1518

OPENSUSE-SU-2021:1342-1

OPENSUSE-SU-2021:3292-1

OPENSUSE-SU-2021_1342-1

OPENSUSE-SU-2021_3292-1

OPENSUSE-SU-2024:10809-1

OPENSUSE-SU-2024:10810-1

RHSA-2022:0432

RHSA-2022:1819

RHSA-2022_1819

RLSA-2022:1819

SUSE-RU-2021:3315-1

SUSE-SU-2021:3292-1

SUSE-SU-2021_3292-1

Affected Products

Alt Linux

Almalinux

Centos

Red Hat

Rocky Linux

Suse

PT-2022-10892 · Go+6 · Go+6

CVE-2021-39293

Weakness Enumeration

Related Identifiers

Affected Products

References · 79