Vulnerability Report: GO-2022-0217
standard library- CVE-2019-6486
- Affects: crypto/elliptic
- Published: May 24, 2022
- Modified: May 20, 2024
A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.
Affected Packages
-
PathGo VersionsSymbols
-
before go1.10.8, from go1.11.0-0 before go1.11.5
1 unexported affected symbols
- curve.doubleJacobian
Aliases
References
- https://go.dev/cl/159218
- https://go.googlesource.com/go/+/193c16a3648b8670a762e925b6ac6e074f468a20
- https://go.dev/issue/29903
- https://groups.google.com/g/golang-announce/c/mVeX35iXuSw
- https://vuln.go.dev/ID/GO-2022-0217.json
Credits
- Wycheproof Project
Feedback
See anything missing or incorrect?
Suggest an edit to this report.