GO-2022-0217

Source
https://pkg.go.dev/vuln/GO-2022-0217
Import Source
https://vuln.go.dev/ID/GO-2022-0217.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0217
Aliases
Published
2022-05-24T15:21:01Z
Modified
2024-05-20T16:03:47Z
Summary
Denial of service affecting P-521 and P-384 curves in crypto/elliptic
Details

A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.

These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.

References
Credits
    • Wycheproof Project

Affected packages

Go / stdlib

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.8
Introduced
1.11.0-0
Fixed
1.11.5

Ecosystem specific

{
    "imports": [
        {
            "path": "crypto/elliptic",
            "symbols": [
                "curve.doubleJacobian"
            ]
        }
    ]
}