CVE-2021-41772 — Panic when opening certain archives in archive/zip

Description

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.

How to fix CVE-2021-41772

To remediate CVE-2021-41772, upgrade the affected package to a fixed version below.

Bitnami/golang—upgrade to 1.16.10 or later
—upgrade to 1.16.10 or later

Is CVE-2021-41772 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.16.10, >= 1.17.0, < 1.17.3
from 0, < 1.16.10, >= 1.17.0-0, < 1.17.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (11)

PATCHgo.dev/cl/349770
PATCHgo.googlesource.com/go/+/b24687394b55a93449e2be4e6892ead58ea9a10f
REPORTgo.dev/issue/48085
WEBcert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
WEB