#VU12161 Man-in-the-middle attack in Go programming language - CVE-2017-15042


| Updated: 2018-05-08

Vulnerability identifier: #VU12161

Vulnerability risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-15042

CWE-ID: CWE-300

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in the smtp.PlainAuth implementation due to an unintended cleartext issue. A remote attacker can conduct man-in-the-middle attack and gain the username and password.

Mitigation
Update to versions 1.8.4 or 1.9.1.

Vulnerable software versions

Go programming language: 1.8 - 1.8.3, 1.9

External links
https://github.com/golang/go/issues/22134

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Red Hat update for golang
Red Hat Developer Tools update for go-toolset-7 and go-toolset-7-golang
Amazon Linux AMI update for golang
Man-in-the-middle attack in go (Alpine package)
Gentoo update for Go
Fedora EPEL 6 update for golang
Fedora 25 update for golang
Fedora 27 update for golang
Fedora 26 update for golang