CVE-2021-41772

Published: Nov 8, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.

Affected (5)

Products: Golang: Go · Fedoraproject: Fedora · Oracle: Timesten In Memory Database

1 product

1 product

1 product

Timesten In Memory Database

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.16.10
Golang Go	From 1.17.0 to 1.17.3

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 34
Fedoraproject Fedora	Version 35

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Timesten In Memory Database	All versions

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (14)

https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf

Source: cve@mitre.org

https://groups.google.com/g/golang-announce/c/0fM21h43arc

Source: cve@mitre.org

Vendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/

Source: cve@mitre.org

https://security.gentoo.org/glsa/202208-02

Source: cve@mitre.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211210-0003/

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Source: cve@mitre.org

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf