Skip to main content
Version: latest

CVE-2021-38297

CVE Details

Visit the official vulnerability details page for CVE-2021-38297 to learn more.

Initial Publication

01/20/2025

Last Update

02/05/2025

Third Party Dependency

go

NIST CVE Summary

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.

CVE Severity

9.8

Our Official Summary

This vulnerability is reported on several of the 3rd party cni images used by our products such as calico and multus-cni. The out-of-bounds write vulnerability in the Bzip2 libraries can be exploited by a malicious bzip2 payload, potentially resulting in a denial of service or remote code execution. Network services or command line utilities that decompress untrusted bzip2 payloads are at risk. The risk scenario is low for the following reasons: These images are optional and will be installed depending on the configuration of the deployments; there are no known reports of exploitation from the 3rd party vendors; and these images are not accessible directly for an attacker to send crafted input. We will upgrade the images when the fixes become available from the vendors.

Status

Ongoing

Affected Products & Versions

This CVE is non-impacting as the impacting symbol and/or function is not used in the product

Revision History

DateRevision
02/05/2025Impacted versions changed from 4.5.20 to 4.5.20, 4.5.21
01/30/2025Status changed from Open to Ongoing
01/30/2025Official summary revised: This vulnerability is reported on several of the 3rd party cni images used by our products such as calico andmultus-cni. The out-of-bounds write vulnerability in the Bzip2 libraries can be exploited by a malicious bzip2 payload,potentially resulting in a denial of service or remote code execution. Network services or command line utilities thatdecompress untrusted bzip2 payloads are at risk. The risk scenario is low for the following reasons: These images areoptional and will be installed depending on the configuration of the deployments; there are no known reports ofexploitation from the 3rd party vendors; and these images are not accessible directly for an attacker to send craftedinput. We will upgrade the images when the fixes become available from the vendors.