| Vulnerability Name: | CVE-2021-33194 (CCN-202644) |
| Assigned: | 2021-05-20 |
| Published: | 2021-05-20 |
| Updated: | 2022-06-03 |
| Summary: | golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
|
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): None
Integrity (I): None
Availibility (A): High |
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): None
Integrity (I): None
Availibility (A): High |
|
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None | | Impact Metrics: | Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial |
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
| | Impact Metrics: | Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete |
|
| Vulnerability Type: | CWE-835
|
| Vulnerability Consequences: | Denial of Service |
| References: | Source: MITRE
Type: CNA
CVE-2021-33194
Source: XF
Type: UNKNOWN
golang-cve202133194-dos(202644)
Source: MISC
Type: Patch, Third Party Advisory
https://github.com/golang/net/commit/37e1c6afe02340126705deced573a85ab75209d7
Source: CONFIRM
Type: Third Party Advisory
https://groups.google.com/g/golang-announce/c/wPunbCPkWUg
Source: CCN
Type: Golang Web site
Vulnerability in golang.org/x/net/html
Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-17d004ed71
Source: CCN
Type: IBM Security Bulletin 6483479 (API Connect)
IBM API Connect is impacted by a vulnerability in Golang (CVE-2021-33194).
Source: CCN
Type: IBM Security Bulletin 6486011 (Watson Machine Learning on CP4D)
Golang Go Vulnerability Affects IBM Watson Machine Learning on CP4D (CVE-2021-33194)
Source: CCN
Type: IBM Security Bulletin 6499711 (Cloud Pak for Integration)
Operations Dashboard is vulnerable to multiple Go vulnerabilities
Source: CCN
Type: IBM Security Bulletin 6524682 (Spectrum Protect Plus)
Vulnerabilities in Redis, OpenSSH, Golang Go, and Apache Kafka may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift
Source: CCN
Type: IBM Security Bulletin 6574371 (Cloud Private)
Security Vulnerabilities affect IBM Cloud Private - Golang (CVE-2021-33194)
Source: CCN
Type: IBM Security Bulletin 6599203 (Netezza As A Service)
IBM Netezza as a Service is vulnerable to denial of service due to Golang net package (CVE-2021-33194, CVE-2021-44716, CVE-2021-31525)
Source: CCN
Type: IBM Security Bulletin 6599703 (Db2 On Openshift)
Multiple vulnerabilities affect IBM Db2 On Openshift and IBM Db2 and Db2 Warehouse on Cloud Pak for Data
Source: CCN
Type: IBM Security Bulletin 6606299 (Cloud Pak for Multicloud Management)
IBM Cloud Pak for Multicloud Management Monitoring has multiple vulnerabilities associated with the Go runtime (CVE-2021-29923, CVE-2021-31525, CVE-2021-33194, CVE-2021-33195, CVE-2021-33196, CVE-2021-33197, CVE-2021-33198)
Source: CCN
Type: IBM Security Bulletin 6611143 (Netezza for Cloud Pak for Data)
IBM Netezza for Cloud Pak for Data is vulnerable to denial of service due to Golang net package (CVE-2021-33194)
Source: CCN
Type: IBM Security Bulletin 6833278 (CICS TX Standard)
IBM CICS TX Standard is vulnerable to multiple vulnerabilities in Golang Go and Kubernetes.
Source: CCN
Type: IBM Security Bulletin 6833280 (CICS TX Advanced)
IBM CICS TX Advanced is vulnerable to multiple vulnerabilities in Golang Go and Kubernetes.
Source: CCN
Type: IBM Security Bulletin 6847643 (Spectrum Protect Plus)
Vulnerabilities in Linux Kernel, Golang Go, and cURL libcurl may affect IBM Spectrum Protect Plus
Source: CCN
Type: IBM Security Bulletin 6991617 (Edge Application Manager)
Open Source Dependency Vulnerability
|
| Vulnerable Configuration: | Configuration 1:
cpe:/a:golang:go:*:*:*:*:*:*:*:* (Version >= 1.16.0 and <= 1.16.4)OR cpe:/a:golang:go:*:*:*:*:*:*:*:* (Version <= 1.15.12)
Configuration 2:
cpe:/o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Configuration CCN 1:
cpe:/a:golang:go:1.15.12:*:*:*:*:*:*:*OR cpe:/a:golang:go:1.16.4:*:*:*:*:*:*:*AND cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*OR cpe:/a:ibm:api_connect:2018.4.1.0:*:*:*:*:*:*:*OR cpe:/a:ibm:spectrum_protect_plus:10.1.5:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*OR cpe:/a:ibm:api_connect:2018.4.1.16:*:*:*:*:*:*:*OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*OR cpe:/a:ibm:db2_warehouse:3.5:-:*:*:*:*:*:*OR cpe:/a:ibm:db2_warehouse:4.0:-:*:*:*:*:*:*OR cpe:/a:ibm:db2:3.5:-:*:*:*:*:*:*OR cpe:/a:ibm:db2:4.0:-:*:*:*:*:*:*OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*
 Denotes that component is vulnerable |
| BACK |