Vulnerability Report: GO-2020-0012

CVE-2020-9283, GHSA-ffhg-7mh4-33c4
Affects: golang.org/x/crypto
Published: Apr 14, 2021
Modified: May 20, 2024

An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. If verifying signatures using user supplied public keys, this may be used as a denial of service vector.

Affected Packages

Path

Go Versions

Symbols
golang.org/x/crypto/ssh

before v0.0.0-20200220183623-bac4c82f6975
17 affected symbols

Aliases

CVE-2020-9283
GHSA-ffhg-7mh4-33c4

References

https://go.dev/cl/220357
https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236
https://groups.google.com/g/golang-announce/c/3L45YRc91SY
https://vuln.go.dev/ID/GO-2020-0012.json

Credits

Alex Gaynor, Fish in a Barrel

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL