GSA_kwCzR0hTQS14aGpxLXc3eG0tcDhxas4AAxeY

High EPSS: 0.01811% (0.82021 Percentile) EPSS:

Permalink JSON

golang.org/x/crypto/ssh Man-in-the-Middle attack

Affected Packages	Affected Versions	Fixed Versions
go:golang.org/x/crypto	< 0.0.0-20170330155735-e4e2799dd7aa	0.0.0-20170330155735-e4e2799dd7aa
125,672 Dependent packages 269,003 Dependent repositories Affected Version Ranges All affected versions All unaffected versions 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0

The Go SSH library (golang.org/x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks if ClientConfig.HostKeyCallback is not set. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.

References:

Identifiers

GHSA-xhjq-w7xm-p8qj

CVE-2017-3204

Risk

Severity

High

EPSS

EPSS Percentage: 0.01811

EPSS Percentile: 0.82021

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/golang/go

Date and time

Published

over 2 years ago

Updated

over 1 year ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories