Description
In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| n/a | n/a | affected |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Openshift Serveless 1.20 | |||
| openshift-serverless-1/client-kn-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/eventing-controller-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/eventing-mtping-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/eventing-storage-version-migration-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/eventing-sugar-controller-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/eventing-webhook-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/ingress-rhel8-operator:1.20.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/knative-rhel8-operator:1.20.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/kn-cli-artifacts-rhel8:0.26.0-2 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/kourier-control-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/net-istio-controller-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/net-istio-webhook-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/serverless-operator-bundle:1.20.0-3 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/serverless-rhel8-operator:1.20.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/serving-activator-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/serving-autoscaler-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/serving-controller-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/serving-domain-mapping-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/serving-domain-mapping-webhook-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/serving-queue-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/serving-storage-version-migration-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/serving-webhook-rhel8:0.26.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1/svls-must-gather-rhel8:1.20.0-1 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1-tech-preview/eventing-kafka-broker-controller-rhel8:0.26.0-2 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1-tech-preview/eventing-kafka-broker-dispatcher-rhel8:0.26.0-2 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1-tech-preview/eventing-kafka-broker-receiver-rhel8:0.26.0-2 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| openshift-serverless-1-tech-preview/eventing-kafka-broker-webhook-rhel8:0.26.0-2 | cpe:/a:redhat:serverless:1.20::el8 | RHSA-2022:0434 | 2022-02-03T00:00:00Z |
| Openshift Serverless 1 on RHEL 8 | |||
| openshift-serverless-clients-0:0.26.0-2.el8 | cpe:/a:redhat:serverless:1.0::el8 | RHSA-2022:0432 | 2022-02-03T00:00:00Z |
| Red Hat Enterprise Linux 8 | |||
| go-toolset:rhel8-8060020220221035359.76a129d7 | cpe:/a:redhat:enterprise_linux:8 | RHSA-2022:1819 | 2022-05-10T00:00:00Z |
| Red Hat Migration Toolkit for Containers 1.6 | |||
| rhmtc/openshift-migration-velero-rhel8:v1.6.5-3 | cpe:/a:redhat:rhmt:1.6::el8 | RHSA-2022:4814 | 2022-05-31T00:00:00Z |
| Red Hat OpenShift Container Platform 4.9 | |||
| openshift4/ose-installer:v4.9.0-202202212240.p0.g4391c01.assembly.stream | cpe:/a:redhat:openshift:4.9::el8 | RHSA-2022:0655 | 2022-02-28T00:00:00Z |
| RHACS-3.67-RHEL-8 | |||
| advanced-cluster-security/rhacs-rhel8-operator:3.67.0-3 | cpe:/a:redhat:advanced_cluster_security:3.67::el8 | RHSA-2021:4902 | 2021-12-01T00:00:00Z |
No data available yet.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 Debian DLA |
DLA-2891-1 | golang-1.8 security update |
| Debian DLA |
DLA-2892-1 | golang-1.7 security update |
| Debian DLA |
DLA-3395-1 | golang-1.11 security update |
 EUVD |
EUVD-2021-25654 | In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196. |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-04T02:06:41.535Z
Reserved: 2021-08-19T00:00:00.000Z
Link: CVE-2021-39293
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-01-24T01:15:07.920
Modified: 2024-11-21T06:19:08.180
Link: CVE-2021-39293
Redhat
OpenCVE Enrichment
No data.