CVE-2017-15042

EPSS 0.18%

Cleartext transmission of credentials in net/smtp

Published: 1/7/2022Modified: 5/20/2024

Description

SMTP clients using net/smtp can use the PLAIN authentication scheme on network connections not secured with TLS, exposing passwords to man-in-the-middle SMTP servers.

Affected packages (1)

Go/stdlib>= 1.1.0-0, < 1.8.4, >= 1.9.0-0, < 1.9.1

References (4)

PATCHhttps://go.dev/cl/68170
PATCHhttps://go.googlesource.com/go/+/ec3b6131de8f9c9c25283260c95c616c74f6d790
REPORThttps://go.dev/issue/22134
WEBhttps://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ