Vulnerability Details : CVE-2021-33195
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-33195
- cpe:2.3:a:netapp:cloud_insights_telegraf_agent:-:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-33195
0.73%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-33195
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
7.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
3.9
|
3.4
|
NIST |
CWE ids for CVE-2021-33195
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-33195
-
https://security.netapp.com/advisory/ntap-20210902-0005/
CVE-2021-33195 Golang Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
Go 1.16.5 and Go 1.15.13 are releasedExploit;Patch;Third Party Advisory
-
https://groups.google.com/g/golang-announce
golang-announce - Google GroupsThird Party Advisory
-
https://security.gentoo.org/glsa/202208-02
Go: Multiple Vulnerabilities (GLSA 202208-02) — Gentoo securityThird Party Advisory
Jump to