CVE-2021-41772: 
Jenkins vulnerability analysis and mitigation

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. The vulnerability was discovered and disclosed in November 2021 (Golang Announce).

The vulnerability exists in the archive/zip package's Reader.Open functionality, which implements the io/fs.FS API introduced in Go 1.16. The issue can be triggered when processing ZIP archives containing completely invalid names or when an empty filename argument is provided. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition through application panic. The vulnerability affects the availability of applications using the vulnerable Go versions but does not impact confidentiality or integrity (NetApp Advisory).

The vulnerability has been fixed in Go versions 1.16.10 and 1.17.3. Users should upgrade to these or later versions to address the issue. The fix was contributed by Colin Arnott from SiteHost and Noah Santschi-Cooney from Sourcegraph Code Intelligence Team (Golang Announce).