Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS0zdm00LTIyZnAtNXJmbc4AArAQ

High EPSS: 0.00034% (0.08297 Percentile) EPSS:
Permalink JSON

golang.org/x/crypto/ssh NULL Pointer Dereference vulnerability

Affected Packages Affected Versions Fixed Versions
go:golang.org/x/crypto < 0.0.0-20201216223049-8b5274cf687f 0.0.0-20201216223049-8b5274cf687f
125,672 Dependent packages
269,003 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions

0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0

A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. An attacker can craft an authentication request message for the gssapi-with-mic method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.

References:

Identifiers

GHSA-3vm4-22fp-5rfm

CVE-2020-29652

Risk

Severity

High

EPSS

EPSS Percentage: 0.00034

EPSS Percentile: 0.08297

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

about 3 years ago

Updated

almost 2 years ago

API

JSON