Vulnerability Report: GO-2022-0229
standard library- CVE-2020-7919, GHSA-cjjc-xp8v-855w
- Affects: crypto/x509, golang.org/x/crypto
- Published: Jul 06, 2022
- Modified: May 20, 2024
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.
Affected Packages
-
PathGo VersionsSymbols
-
before go1.12.16, from go1.13.0-0 before go1.13.7all symbols
-
before v0.0.0-20200124225646-8b5121be2f68all symbols
Aliases
References
- https://go.dev/cl/216680
- https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
- https://go.dev/cl/216677
- https://go.dev/issue/36837
- https://groups.google.com/g/golang-announce/c/Hsw4mHYc470
- https://vuln.go.dev/ID/GO-2022-0229.json
Credits
- Project Wycheproof
Feedback
See anything missing or incorrect?
Suggest an edit to this report.