{"id":"GO-2021-0178","summary":"Cleartext transmission of credentials in net/smtp","details":"SMTP clients using net/smtp can use the PLAIN authentication scheme on network connections not secured with TLS, exposing passwords to man-in-the-middle SMTP servers.","aliases":["CVE-2017-15042"],"modified":"2026-03-17T04:05:50.091616Z","published":"2022-01-07T20:35:00Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0178","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/68170"},{"type":"FIX","url":"https://go.googlesource.com/go/+/ec3b6131de8f9c9c25283260c95c616c74f6d790"},{"type":"REPORT","url":"https://go.dev/issue/22134"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.1.0-0"},{"fixed":"1.8.4"},{"introduced":"1.9.0-0"},{"fixed":"1.9.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["plainAuth.Start"],"path":"net/smtp"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0178.json"}}],"schema_version":"1.7.5","credits":[{"name":"Stevie Johnstone"}]}