Vulnerability Details : CVE-2017-15042
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
Products affected by CVE-2017-15042
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:1.9:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-15042
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-15042
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2017-15042
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-15042
-
https://access.redhat.com/errata/RHSA-2018:0878
RHSA-2018:0878 - Security Advisory - Red Hat Customer Portal
-
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
[security] Go 1.8.4 and Go 1.9.1 are released - Google GroepenMailing List;Vendor Advisory
-
https://github.com/golang/go/issues/22134
smtp.PlainAuth susceptible to man-in-the-middle password harvesting [Go 1.8] · Issue #22134 · golang/go · GitHubIssue Tracking;Patch;Vendor Advisory
-
https://golang.org/cl/68023
Issue Tracking;Patch;Vendor Advisory
-
https://security.gentoo.org/glsa/201710-23
Go: Multiple vulnerabilities (GLSA 201710-23) — Gentoo securityThird Party Advisory
-
http://www.securityfocus.com/bid/101197
Golang Go CVE-2017-15042 Man in the Middle Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
https://golang.org/cl/68210
Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2017:3463
RHSA-2017:3463 - Security Advisory - Red Hat Customer Portal
Jump to