#VU56023 Missing Authorization in Go programming language - CVE-2021-33197

Cybersecurity Help s.r.o.

Published: 2021-08-22 | Updated: 2022-10-19

Vulnerability identifier: #VU56023

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-33197

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to an error in some configurations of ReverseProxy (from net/http/httputil). A remote attacker can drop arbitrary headers and bypass authorization process.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.15 - 1.16.4

External links
https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
https://groups.google.com/g/golang-announce

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Missing authorization in IBM Cloud Pak for Data

Multiple vulnerabilities in IBM QRadar Suite software

Splunk Enterprise update for third-party packages

Multiple vulnerabilities in Dell PowerProtect Cyber Recovery

Multiple vulnerabilities in Netcool Operations Insight

Red Hat Enterprise Linux 9 update for podman

Red Hat Enterprise Linux 9 update for buildah

Multiple vulnerabilities in Oracle Linux

Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

Multiple vulnerabilities in IBM Operations Dashboard