Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ubuntucveUbuntu.comUB:CVE-2017-15042
HistoryOct 05, 2017 - 12:00 a.m.

CVE-2017-15042

2017-10-0500:00:00
ubuntu.com
ubuntu.com
9

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

68.3%

JSON

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before
1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only
be used on network connections secured with TLS. The original
implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and
it was documented to do so. In 2013, upstream issue #5184, this was changed
so that the server may decide whether PLAIN is acceptable. The result is
that if you set up a man-in-the-middle SMTP server that doesn’t advertise
STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth
implementation sends the username and password.

Notes

Author Note
mdeslaur Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays.
OSVersionArchitecturePackageVersionFilename
ubuntu16.04noarchgolang-1.6< anyUNKNOWN
ubuntu18.04noarchgolang-1.8< anyUNKNOWN

Related

redhatcve 1
veracode 1
prion 1
debiancve 1
osv 2
cve 1
nessus 11
openvas 3
ibm 1
fedora 3
mageia 1
redhat 2
gentoo 1
amazon 2
centos 1
redhatcve
redhatcve
CVE-2017-15042
2017-10-06 00:19:09
veracode
veracode
Man-in-the-Middle (MitM)
2017-10-06 03:10:34
prion
prion
Design/Logic Flaw
2017-10-05 21:29:00
debiancve
debiancve
CVE-2017-15042
2017-10-05 21:29:00
osv
osv
Cleartext transmission of credentials in net/smtp
2022-01-07 20:35:00
CVE-2017-15042
2017-10-05 21:29:00
cve
cve
CVE-2017-15042
2017-10-05 21:29:00
nessus
nessus
Fedora 26 : golang (2017-6f1b90dbb7)
2017-10-18 00:00:00
Fedora 25 : golang (2017-8f7bca960b)
2017-10-20 00:00:00
Amazon Linux AMI : golang (ALAS-2017-918)
2017-11-06 00:00:00
openvas
openvas
Mageia: Security Advisory (MGASA-2018-0089)
2022-01-28 00:00:00
Fedora Update for golang FEDORA-2017-6f1b90dbb7
2017-10-21 00:00:00
Fedora Update for golang FEDORA-2017-8f7bca960b
2017-10-21 00:00:00
ibm
ibm
Security Bulletin: A security vulnerability has been identified in Go shipped with IBM Cloud Schematics (CVE-2017-15041, CVE-2017-15042)
2018-06-17 22:33:37
fedora
fedora
[SECURITY] Fedora 26 Update: golang-1.8.4-1.fc26
2017-10-17 19:21:49
[SECURITY] Fedora 27 Update: golang-1.9.1-1.fc27
2017-10-11 14:48:46
[SECURITY] Fedora 25 Update: golang-1.7.6-3.fc25
2017-10-19 19:21:02
mageia
mageia
Updated golang packages fix security vulnerabilities
2018-01-22 00:31:56
redhat
redhat
(RHSA-2017:3463) Moderate: go-toolset-7 and go-toolset-7-golang security and bug fix update
2017-12-14 11:22:18
(RHSA-2018:0878) Moderate: golang security, bug fix, and enhancement update
2018-04-10 05:02:59
gentoo
gentoo
Go: Multiple vulnerabilities
2017-10-23 00:00:00
amazon
amazon
Medium: golang
2017-11-02 20:17:00
Medium: golang
2018-05-10 17:19:00
centos
centos
golang security update
2018-04-26 17:42:06

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

68.3%

JSON
Related for UB:CVE-2017-15042
redhatcve1veracode1prion1debiancve1osv2cve1nessus11openvas3ibm1fedora3mageia1redhat2gentoo1amazon2centos1