CVE-2021-38297

Public on 2021-10-18

Modified on 2023-01-18

Description

A validation flaw was found in golang. When invoking functions from WASM modules built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. The highest threat from this vulnerability is to integrity.

Severity

Medium

See what this means

CVSS v3 Base Score

9.8

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	golang	2022-04-25 15:59	ALAS-2022-1583
Amazon Linux 2 - Core	golang	2022-07-06 03:11	ALAS2-2022-1811
Amazon Linux 2 - Core	golang	2022-07-28 21:55	ALAS2-2022-1830
Amazon Linux 2 - Core	golang	2022-04-25 03:47	ALAS2-2022-1776
Amazon Linux 2023	golang	2023-02-17 20:45	ALAS2023-2023-048

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD	CVSSv2	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
NVD	CVSSv3	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2021-38297 Mitre: CVE-2021-38297 FAQs regarding Amazon Linux ALAS/CVE Severity