Google Git
Sign in
go / pkgsite / e7143b5d335c09e1a0fef6925a59c455423496d0 / . / tests / screentest / testdata / vulndb / golang.org / x / crypto.json
blob: 379ce2f9ed864a939f9543fc8d0ed58af1d5ffb7 [file] [log] [blame]
[{"id":"GO-2020-0012","published":"2021-04-14T20:04:52Z","modified":"2022-10-21T20:22:39Z","aliases":["CVE-2020-9283","GHSA-ffhg-7mh4-33c4"],"details":"An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public\nkey, such that the library will panic when trying to verify a signature\nwith it. If verifying signatures using user supplied public keys, this\nmay be used as a denial of service vector.\n","affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20200220183623-bac4c82f6975"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0012"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/ssh","symbols":["NewPublicKey","ed25519PublicKey.Verify","parseED25519","parseSKEd25519","skEd25519PublicKey.Verify"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/220357"},{"type":"FIX","url":"https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/3L45YRc91SY"}],"credits":[{"name":"Alex Gaynor, Fish in a Barrel"}]},{"id":"GO-2020-0013","published":"2021-04-14T20:04:52Z","modified":"2022-10-21T20:22:39Z","aliases":["CVE-2017-3204"],"details":"By default host key verification is disabled which allows for\nman-in-the-middle attacks against SSH clients if\nClientConfig.HostKeyCallback is not set.\n","affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20170330155735-e4e2799dd7aa"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0013"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/ssh","symbols":["NewClientConn"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/340830"},{"type":"FIX","url":"https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991"},{"type":"REPORT","url":"https://go.dev/issue/19767"},{"type":"WEB","url":"https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/"}],"credits":[{"name":"Phil Pennock"}]},{"id":"GO-2021-0227","published":"2022-02-17T17:35:32Z","modified":"2022-10-21T20:22:39Z","aliases":["CVE-2020-29652"],"details":"Clients can cause a panic in SSH servers. An attacker can craft\nan authentication request message for the “gssapi-with-mic” method\nwhich will cause NewServerConn to panic via a nil pointer dereference\nif ServerConfig.GSSAPIWithMICConfig is nil.\n","affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20201216223049-8b5274cf687f"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0227"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/ssh","symbols":["connection.serverAuthenticate"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/278852"},{"type":"FIX","url":"https://go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e8"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1"}],"credits":[{"name":"Joern Schneewesiz, GitLab Security Research Team"}]},{"id":"GO-2021-0356","published":"2022-04-25T20:38:40Z","modified":"2022-10-21T14:43:38Z","aliases":["CVE-2022-27191","GHSA-8c26-wmh5-6g9v"],"details":"Attackers can cause a crash in SSH servers when the server has been\nconfigured by passing a Signer to ServerConfig.AddHostKey such that\n 1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and\n 2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its\n PublicKey method.\n\nServers that only use Signer implementations provided by the ssh package are\nunaffected.\n","affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20220314234659-1baeb1ce4c0b"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0356"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/ssh","symbols":["ServerConfig.AddHostKey"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/392355"},{"type":"FIX","url":"https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s"}]},{"id":"GO-2022-0209","published":"2022-07-01T20:15:25Z","modified":"2022-10-21T20:22:39Z","aliases":["CVE-2019-11840"],"details":"XORKeyStream generates incorrect and insecure output for very\nlarge inputs.\n\nIf more than 256 GiB of keystream is generated, or if the counter\notherwise grows greater than 32 bits, the amd64 implementation will\nfirst generate incorrect output, and then cycle back to previously\ngenerated keystream. Repeated keystream bytes can lead to loss of\nconfidentiality in encryption applications, or to predictability\nin CSPRNG applications.\n\nThe issue might affect uses of golang.org/x/crypto/nacl with extremely\nlarge messages.\n\nArchitectures other than amd64 and uses that generate less than 256 GiB\nof keystream for a single salsa20.XORKeyStream invocation are unaffected.\n","affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20190320223903-b7391e95e576"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0209"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/salsa20/salsa","goarch":["amd64"],"symbols":["XORKeyStream"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/168406"},{"type":"FIX","url":"https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d"},{"type":"REPORT","url":"https://go.dev/issue/30965"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/tjyNcJxb2vQ/m/n0NRBziSCAAJ"}],"credits":[{"name":"Michael McLoughlin"}]},{"id":"GO-2022-0229","published":"2022-07-06T18:23:48Z","modified":"2022-10-21T20:22:39Z","aliases":["CVE-2020-7919","GHSA-cjjc-xp8v-855w"],"details":"On 32-bit architectures, a malformed input to crypto/x509 or\nthe ASN.1 parsing functions of golang.org/x/crypto/cryptobyte\ncan lead to a panic.\n\nThe malformed certificate can be delivered via a crypto/tls\nconnection to a client, or to a server that accepts client\ncertificates. net/http clients can be made to crash by an HTTPS\nserver, while net/http servers that accept client certificates\nwill recover the panic and are unaffected.\n","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.12.16"},{"introduced":"1.13.0"},{"fixed":"1.13.7"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0229"},"ecosystem_specific":{"imports":[{"path":"crypto/x509"}]}},{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20200124225646-8b5121be2f68"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0229"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/cryptobyte"}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/216680"},{"type":"FIX","url":"https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574"},{"type":"FIX","url":"https://go.dev/cl/216677"},{"type":"REPORT","url":"https://go.dev/issue/36837"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/Hsw4mHYc470"}],"credits":[{"name":"Project Wycheproof"}]},{"id":"GO-2022-0968","published":"2022-09-13T03:32:38Z","modified":"2022-10-21T20:22:39Z","aliases":["CVE-2021-43565","GHSA-gwc9-m7rh-j2ww"],"details":"Unauthenticated clients can cause a panic in SSH servers.\n\nWhen using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which\ncontains an empty plaintext causes a panic.\n","affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20211202192323-5770296d904e"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0968"},"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/ssh","symbols":["Dial","NewClientConn","NewServerConn","chacha20Poly1305Cipher.readCipherPacket","gcmCipher.readCipherPacket"]}]}}],"references":[{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs"},{"type":"REPORT","url":"https://go.dev/issues/49932"},{"type":"FIX","url":"https://go.dev/cl/368814/"}],"credits":[{"name":"Rod Hynes, Psiphon Inc."}]}]