Medium severity5.9NVD Advisory· Published Oct 5, 2017· Updated Jun 17, 2026
CVE-2017-15042
CVE-2017-15042
Description
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9- osv-coords6 versionspkg:rpm/opensuse/go1.10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.11&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.12&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.9&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go&distro=openSUSE%20Tumbleweed
< 1.10.8-8.2+ 5 more
- (no CPE)range: < 1.10.8-8.2
- (no CPE)range: < 1.11.13-10.5
- (no CPE)range: < 1.12.17-4.8
- (no CPE)range: < 1.4.3-12.2
- (no CPE)range: < 1.9.7-11.2
- (no CPE)range: < 1.17-1.1
Patches
Vulnerability mechanics
References
8- github.com/golang/go/issues/22134nvdIssue TrackingPatchVendor Advisory
- golang.org/cl/68023nvdIssue TrackingPatchVendor Advisory
- www.securityfocus.com/bid/101197nvdThird Party AdvisoryVDB Entry
- golang.org/cl/68210nvdVendor Advisory
- groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJnvdMailing ListVendor Advisory
- security.gentoo.org/glsa/201710-23nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2017:3463nvd
- access.redhat.com/errata/RHSA-2018:0878nvd
News mentions
0No linked articles in our index yet.