Improper Verification of Cryptographic Signature in golang.org/x/crypto
High severity
GitHub Reviewed
Published
May 18, 2021
to the GitHub Advisory Database
•
Updated Feb 16, 2023
Package
Affected versions
< 0.0.0-20200220183623-bac4c82f6975
Patched versions
0.0.0-20200220183623-bac4c82f6975
Description
Published by the National Vulnerability Database
Feb 20, 2020
Reviewed
May 17, 2021
Published to the GitHub Advisory Database
May 18, 2021
Last updated
Feb 16, 2023
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
References