Vulnerability Name: | CVE-2021-33194 (CCN-202644) |
Assigned: | 2021-05-20 |
Published: | 2021-05-20 |
Updated: | 2022-06-03 |
Summary: | golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
|
CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)Exploitability Metrics: | Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None | Scope: | Scope (S): Unchanged
| Impact Metrics: | Confidentiality (C): None Integrity (I): None Availibility (A): High | 7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)Exploitability Metrics: | Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None | Scope: | Scope (S): Unchanged
| Impact Metrics: | Confidentiality (C): None Integrity (I): None Availibility (A): High |
|
CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)Exploitability Metrics: | Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None | Impact Metrics: | Confidentiality (C): None Integrity (I): None Availibility (A): Partial | 7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)Exploitability Metrics: | Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
| Impact Metrics: | Confidentiality (C): None Integrity (I): None Availibility (A): Complete |
|
Vulnerability Type: | CWE-835
|
Vulnerability Consequences: | Denial of Service |
References: | Source: MITRE Type: CNA CVE-2021-33194
Source: XF Type: UNKNOWN golang-cve202133194-dos(202644)
Source: MISC Type: Patch, Third Party Advisory https://github.com/golang/net/commit/37e1c6afe02340126705deced573a85ab75209d7
Source: CONFIRM Type: Third Party Advisory https://groups.google.com/g/golang-announce/c/wPunbCPkWUg
Source: CCN Type: Golang Web site Vulnerability in golang.org/x/net/html
Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2022-17d004ed71
Source: CCN Type: IBM Security Bulletin 6483479 (API Connect) IBM API Connect is impacted by a vulnerability in Golang (CVE-2021-33194).
Source: CCN Type: IBM Security Bulletin 6486011 (Watson Machine Learning on CP4D) Golang Go Vulnerability Affects IBM Watson Machine Learning on CP4D (CVE-2021-33194)
Source: CCN Type: IBM Security Bulletin 6499711 (Cloud Pak for Integration) Operations Dashboard is vulnerable to multiple Go vulnerabilities
Source: CCN Type: IBM Security Bulletin 6524682 (Spectrum Protect Plus) Vulnerabilities in Redis, OpenSSH, Golang Go, and Apache Kafka may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift
Source: CCN Type: IBM Security Bulletin 6574371 (Cloud Private) Security Vulnerabilities affect IBM Cloud Private - Golang (CVE-2021-33194)
Source: CCN Type: IBM Security Bulletin 6599203 (Netezza As A Service) IBM Netezza as a Service is vulnerable to denial of service due to Golang net package (CVE-2021-33194, CVE-2021-44716, CVE-2021-31525)
Source: CCN Type: IBM Security Bulletin 6599703 (Db2 On Openshift) Multiple vulnerabilities affect IBM Db2 On Openshift and IBM Db2 and Db2 Warehouse on Cloud Pak for Data
Source: CCN Type: IBM Security Bulletin 6606299 (Cloud Pak for Multicloud Management) IBM Cloud Pak for Multicloud Management Monitoring has multiple vulnerabilities associated with the Go runtime (CVE-2021-29923, CVE-2021-31525, CVE-2021-33194, CVE-2021-33195, CVE-2021-33196, CVE-2021-33197, CVE-2021-33198)
Source: CCN Type: IBM Security Bulletin 6611143 (Netezza for Cloud Pak for Data) IBM Netezza for Cloud Pak for Data is vulnerable to denial of service due to Golang net package (CVE-2021-33194)
Source: CCN Type: IBM Security Bulletin 6833278 (CICS TX Standard) IBM CICS TX Standard is vulnerable to multiple vulnerabilities in Golang Go and Kubernetes.
Source: CCN Type: IBM Security Bulletin 6833280 (CICS TX Advanced) IBM CICS TX Advanced is vulnerable to multiple vulnerabilities in Golang Go and Kubernetes.
Source: CCN Type: IBM Security Bulletin 6847643 (Spectrum Protect Plus) Vulnerabilities in Linux Kernel, Golang Go, and cURL libcurl may affect IBM Spectrum Protect Plus
Source: CCN Type: IBM Security Bulletin 6991617 (Edge Application Manager) Open Source Dependency Vulnerability
|
Vulnerable Configuration: | Configuration 1: cpe:/a:golang:go:*:*:*:*:*:*:*:* (Version >= 1.16.0 and <= 1.16.4)OR cpe:/a:golang:go:*:*:*:*:*:*:*:* (Version <= 1.15.12) Configuration 2: cpe:/o:fedoraproject:fedora:36:*:*:*:*:*:*:* Configuration CCN 1: cpe:/a:golang:go:1.15.12:*:*:*:*:*:*:*OR cpe:/a:golang:go:1.16.4:*:*:*:*:*:*:*AND cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*OR cpe:/a:ibm:api_connect:2018.4.1.0:*:*:*:*:*:*:*OR cpe:/a:ibm:spectrum_protect_plus:10.1.5:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*OR cpe:/a:ibm:api_connect:2018.4.1.16:*:*:*:*:*:*:*OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*OR cpe:/a:ibm:db2_warehouse:3.5:-:*:*:*:*:*:*OR cpe:/a:ibm:db2_warehouse:4.0:-:*:*:*:*:*:*OR cpe:/a:ibm:db2:3.5:-:*:*:*:*:*:*OR cpe:/a:ibm:db2:4.0:-:*:*:*:*:*:*OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:* Denotes that component is vulnerable |
BACK |