Description
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
References (8)
Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/101197
Vendor Advisory x_refsource_confirm
https://golang.org/cl/68210
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://golang.org/cl/68023
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://github.com/golang/go/issues/22134
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201710-23
Mailing List, Vendor Advisory x_refsource_confirm
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3463
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0878
Scores
CVSS v3
5.9
EPSS
0.0018
EPSS Percentile
39.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-319
Status
published
Products (2)
golang/go
1.9
golang/go
< 1.8.3
Published
Oct 05, 2017
Tracked Since
Feb 18, 2026