Medium severity5.9NVD Advisory· Published Oct 5, 2017· Updated May 13, 2026

CVE-2017-15042

Description

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.

Affected products

Golang/Go2 versions
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*range: <=1.8.3
- cpe:2.3:a:golang:go:1.9:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/golang/go/issues/22134nvdIssue TrackingPatchVendor Advisory
golang.org/cl/68023nvdIssue TrackingPatchVendor Advisory
www.securityfocus.com/bid/101197nvdThird Party AdvisoryVDB Entry
golang.org/cl/68210nvdVendor Advisory
groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJnvdMailing ListVendor Advisory
security.gentoo.org/glsa/201710-23nvdThird Party Advisory
access.redhat.com/errata/RHSA-2017:3463nvd
access.redhat.com/errata/RHSA-2018:0878nvd

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000