CVE-2017-15042

low-risk
Published 2017-10-05

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.

Do I need to act?

-
0.18% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (2)

Go
Go

Affected Vendors

Golang

References (16)

Third Party Advisory http://www.securityfocus.com/bid/101197
https://access.redhat.com/errata/RHSA-2017:3463
https://access.redhat.com/errata/RHSA-2018:0878
Issue Tracking https://github.com/golang/go/issues/22134
Issue Tracking https://golang.org/cl/68023
Vendor Advisory https://golang.org/cl/68210
Mailing List https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
Third Party Advisory https://security.gentoo.org/glsa/201710-23
Third Party Advisory http://www.securityfocus.com/bid/101197
https://access.redhat.com/errata/RHSA-2017:3463
https://access.redhat.com/errata/RHSA-2018:0878
Issue Tracking https://github.com/golang/go/issues/22134
Issue Tracking https://golang.org/cl/68023
Vendor Advisory https://golang.org/cl/68210
Mailing List https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
Third Party Advisory https://security.gentoo.org/glsa/201710-23
26
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 7/34 · Low