CVE-2017-15042

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.

• CWE-319

• http://www.securityfocus.com/bid/101197Third Party Advisory, VDB Entry
• https://access.redhat.com/errata/RHSA-2017:3463
• https://access.redhat.com/errata/RHSA-2018:0878
• https://github.com/golang/go/issues/22134Issue Tracking, Patch, Vendor Advisory
• https://golang.org/cl/68023Issue Tracking, Patch, Vendor Advisory
• https://golang.org/cl/68210Vendor Advisory
• https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJMailing List, Vendor Advisory
• https://security.gentoo.org/glsa/201710-23Third Party Advisory
• http://www.securityfocus.com/bid/101197Third Party Advisory, VDB Entry
• https://access.redhat.com/errata/RHSA-2017:3463
• https://access.redhat.com/errata/RHSA-2018:0878
• https://github.com/golang/go/issues/22134Issue Tracking, Patch, Vendor Advisory
• https://golang.org/cl/68023Issue Tracking, Patch, Vendor Advisory
• https://golang.org/cl/68210Vendor Advisory
• https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJMailing List, Vendor Advisory
• https://security.gentoo.org/glsa/201710-23Third Party Advisory

Published

Oct 5, 2017

Last Modified

Jun 17, 2026

Status

Modified