GO-2022-0968
- Source
- https://pkg.go.dev/vuln/GO-2022-0968
- Import Source
- https://vuln.go.dev/ID/GO-2022-0968.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GO-2022-0968
- Aliases
- Published
- 2022-09-13T03:32:38Z
- Modified
- 2024-09-11T06:13:16.418518Z
- Summary
- Panic on malformed packets in golang.org/x/crypto/ssh
- Details
-
Unauthenticated clients can cause a panic in SSH servers.
When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic.
- Database specific
{ "url": "https://pkg.go.dev/vuln/GO-2022-0968", "review_status": "REVIEWED" }- References
- Credits
-
-
- Rod Hynes (Psiphon Inc)
-
Affected packages
Go / golang.org/x/crypto
Package
- Name
- golang.org/x/crypto
- View open source insights on deps.dev
- Purl
- pkg:golang/golang.org/x/crypto
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.0.0-20211202192323-5770296d904e
Ecosystem specific
{
"imports": [
{
"symbols": [
"Dial",
"NewClientConn",
"NewServerConn",
"chacha20Poly1305Cipher.readCipherPacket",
"curve25519sha256.Client",
"curve25519sha256.Server",
"dhGEXSHA.Client",
"dhGEXSHA.Server",
"dhGroup.Client",
"dhGroup.Server",
"ecdh.Client",
"ecdh.Server",
"gcmCipher.readCipherPacket"
],
"path": "golang.org/x/crypto/ssh"
}
]
}