GO-2022-0166

See a problem?

Source

https://pkg.go.dev/vuln/GO-2022-0166

Import Source

https://vuln.go.dev/ID/GO-2022-0166.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0166

Aliases

CVE-2016-3959

Published

2022-05-24T22:06:33Z

Modified

2024-05-20T16:03:47Z

Summary

Denial of service due to unchecked parameters in crypto/dsa

Details

The Verify function in crypto/dsa passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability.

References

Credits

- David Wong

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.4

Introduced

1.6.0-0

Fixed

1.6.1

Ecosystem specific

{
    "imports": [
        {
            "path": "crypto/dsa",
            "symbols": [
                "Verify"
            ]
        }
    ]
}