Multiple vulnerabilities in Go



Published: 2021-01-27
Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2021-3114
CVE-2021-3115
CWE-ID CWE-682
CWE-78
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Go programming language
Universal components / Libraries / Scripting languages

Vendor Google

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Incorrect calculation

EUVDB-ID: #VU50047

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-3114

CWE-ID: CWE-682 - Incorrect Calculation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to incorrect calculation performed by the application in "crypto/elliptic/p224.go". A remote attacker can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.14.1 - 1.14.13, 1.15 - 1.15.6


CPE2.3 External links

http://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871
http://groups.google.com/g/golang-announce/c/mperVMGa98w

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) OS Command Injection

EUVDB-ID: #VU50046

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3115

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when using the "go get" command to fetch modules that make use of cgo. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.14.1 - 1.14.13, 1.15 - 1.15.6


CPE2.3 External links

http://blog.golang.org/path-security
http://groups.google.com/g/golang-announce/c/mperVMGa98w

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###