Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2017-15042

Date: October 5, 2017

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.

Language: Go

Severity Score

Related Resources (16)

https://access.redhat.com/security/cve/CVE-2017-15042
https://access.redhat.com/errata/RHSA-2018:0878
https://golang.org/cl/68210
https://golang.org/cl/68023
https://go.googlesource.com/go/+/ec3b6131de8f9c9c25283260c95c616c74f6d790
https://go.dev/issue/22134
https://github.com/golang/go/issues/22134
https://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ
https://access.redhat.com/errata/RHSA-2017:3463
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
http://www.securityfocus.com/bid/101197
https://security.gentoo.org/glsa/201710-23
https://nvd.nist.gov/vuln/detail/CVE-2017-15042
https://go.dev/cl/68170
https://people.canonical.com/~ubuntu-security/cve/CVE-2017-15042
https://www.mend.io/vulnerability-database/CVE-2017-15042

Severity Score

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Cleartext Transmission of Sensitive Information

CWE-319

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us