GSA_kwCzR0hTQS1nd2M5LW03cmgtajJ3d84AAup1

High EPSS: 0.00013% (0.01363 Percentile) EPSS:

Permalink JSON

x/crypto/ssh vulnerable to panic via malformed packets

Affected Packages	Affected Versions	Fixed Versions
go:golang.org/x/crypto	< 0.0.0-20211202192323-5770296d904e	0.0.0-20211202192323-5770296d904e
125,672 Dependent packages 269,003 Dependent repositories Affected Version Ranges All affected versions All unaffected versions 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0

The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an unauthenticated attacker to panic an SSH server. When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic.

References:

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

GSA_kwCzR0hTQS1nd2M5LW03cmgtajJ3d84AAup1

x/crypto/ssh vulnerable to panic via malformed packets

Affected Version Ranges

All affected versions

All unaffected versions

Identifiers

Risk

Severity

EPSS

Classification

Source

Origin

Date and time

Published

Updated

API