Access Restriction Bypass Affecting golang-pkg-netbsd-386 package, versions <0:1.3.3-1.7.amzn1


Severity

Recommended
0.0
medium
0
10

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.1% (43rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN201803-GOLANGPKGNETBSD386-1678675
  • published27 Sept 2021
  • disclosed7 Oct 2014

Introduced: 7 Oct 2014

CVE-2014-7189  (opens in a new tab)
CWE-264  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2018.03 golang-pkg-netbsd-386 to version 0:1.3.3-1.7.amzn1 or higher.
This issue was patched in ALAS-2014-437.

NVD Description

Note: Versions mentioned in the description apply only to the upstream golang-pkg-netbsd-386 package and not the golang-pkg-netbsd-386 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.

crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors.

CVSS Scores

version 3.1