GO-2022-0217

See a problem?

Source

https://pkg.go.dev/vuln/GO-2022-0217

Import Source

https://vuln.go.dev/ID/GO-2022-0217.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0217

Aliases

CVE-2019-6486

Published

2022-05-24T15:21:01Z

Modified

2024-05-20T16:03:47Z

Summary

Denial of service affecting P-521 and P-384 curves in crypto/elliptic

Details

A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.

These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.

References

Credits

- Wycheproof Project

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.8

Introduced

1.11.0-0

Fixed

1.11.5

Ecosystem specific

{
    "imports": [
        {
            "path": "crypto/elliptic",
            "symbols": [
                "curve.doubleJacobian"
            ]
        }
    ]
}