GO-2024-2660
- Source
- https://pkg.go.dev/vuln/GO-2024-2660
- Import Source
- https://vuln.go.dev/ID/GO-2024-2660.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GO-2024-2660
- Aliases
- Related
- Published
- 2024-03-27T22:08:48Z
- Modified
- 2024-05-20T16:03:47Z
- Summary
- Memory leak in github.com/golang-fips/openssl/v2 and github.com/microsoft/go-crypto-openssl
- Details
-
Using crafted public RSA keys can cause a small memory leak when encrypting and verifying payloads. This can be gradually leveraged into a denial of service attack.
- Database specific
{ "url": "https://pkg.go.dev/vuln/GO-2024-2660", "review_status": "REVIEWED" }- References
- Credits
-
-
- @qmuntal and @r3kumar
-
Affected packages
Go / github.com/golang-fips/openssl/v2
Package
- Name
- github.com/golang-fips/openssl/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/golang-fips/openssl/v2
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.0.1
Ecosystem specific
{
"imports": [
{
"path": "github.com/golang-fips/openssl/v2",
"symbols": [
"DecryptRSANoPadding",
"DecryptRSAOAEP",
"DecryptRSAPKCS1",
"EncryptRSANoPadding",
"EncryptRSAOAEP",
"EncryptRSAPKCS1",
"NewGCMTLS",
"NewGCMTLS13",
"NewRC4Cipher",
"SignMarshalECDSA",
"SignRSAPKCS1v15",
"SignRSAPSS",
"VerifyECDSA",
"VerifyRSAPKCS1v15",
"VerifyRSAPSS",
"aesCipher.Decrypt",
"aesCipher.Encrypt",
"aesCipher.NewCBCDecrypter",
"aesCipher.NewCBCEncrypter",
"aesCipher.NewCTR",
"aesCipher.NewGCM",
"aesCipher.NewGCMTLS",
"aesCipher.NewGCMTLS13",
"desCipher.Decrypt",
"desCipher.Encrypt",
"desCipher.NewCBCDecrypter",
"desCipher.NewCBCEncrypter",
"desCipherWithoutCBC.Decrypt",
"desCipherWithoutCBC.Encrypt",
"newCipherCtx",
"noGCM.Decrypt",
"noGCM.Encrypt",
"setupEVP"
]
}
]
}
Go / github.com/microsoft/go-crypto-openssl
Package
- Name
- github.com/microsoft/go-crypto-openssl
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/microsoft/go-crypto-openssl
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.2.9
Ecosystem specific
{
"imports": [
{
"path": "github.com/microsoft/go-crypto-openssl/openssl",
"symbols": [
"DecryptRSANoPadding",
"DecryptRSAOAEP",
"DecryptRSAOAEPWithMGF1Hash",
"DecryptRSAPKCS1",
"EncryptRSANoPadding",
"EncryptRSAOAEP",
"EncryptRSAOAEPWithMGF1Hash",
"EncryptRSAPKCS1",
"SignMarshalECDSA",
"SignRSAPKCS1v15",
"SignRSAPSS",
"VerifyECDSA",
"VerifyRSAPKCS1v15",
"VerifyRSAPSS",
"setupEVP"
]
}
]
}