GO-2022-0968

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0968

Import Source

https://vuln.go.dev/ID/GO-2022-0968.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0968

Aliases

Published

2022-09-13T03:32:38Z

Modified

2024-05-20T16:03:47Z

Summary

Panic on malformed packets in golang.org/x/crypto/ssh

Details

Unauthenticated clients can cause a panic in SSH servers.

When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic.

References

Credits

- Rod Hynes (Psiphon Inc)

Affected packages

Go / golang.org/x/crypto

Package

Name: golang.org/x/crypto; View open source insights on deps.dev
Purl: pkg:golang/golang.org/x/crypto

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.0-20211202192323-5770296d904e

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/crypto/ssh",
            "symbols": [
                "Dial",
                "NewClientConn",
                "NewServerConn",
                "chacha20Poly1305Cipher.readCipherPacket",
                "curve25519sha256.Client",
                "curve25519sha256.Server",
                "dhGEXSHA.Client",
                "dhGEXSHA.Server",
                "dhGroup.Client",
                "dhGroup.Server",
                "ecdh.Client",
                "ecdh.Server",
                "gcmCipher.readCipherPacket"
            ]
        }
    ]
}