Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZmaGctN21oNC0zM2M0

High EPSS: 0.19082% (0.9504 Percentile) EPSS:
Permalink JSON

Improper Verification of Cryptographic Signature in golang.org/x/crypto

Affected Packages Affected Versions Fixed Versions
go:golang.org/x/crypto < 0.0.0-20200220183623-bac4c82f6975 0.0.0-20200220183623-bac4c82f6975
125,672 Dependent packages
269,003 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions

0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0

golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

References:

Identifiers

GHSA-ffhg-7mh4-33c4

CVE-2020-9283

Risk

Severity

High

EPSS

EPSS Percentage: 0.19082

EPSS Percentile: 0.9504

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/golang/crypto

Date and time

Published

about 4 years ago

Updated

over 2 years ago

API

JSON