data/reports/GO-2022-0229.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.12.16
       - introduced: 1.13.0
         fixed: 1.13.7
     vulnerable_at: 1.13.6
     packages:
       - package: crypto/x509
   - module: golang.org/x/crypto
     versions:
       - fixed: 0.0.0-20200124225646-8b5121be2f68
     vulnerable_at: 0.0.0-20200115085410-6d4e4cb37c7d
     packages:
       - package: golang.org/x/crypto/cryptobyte
 description: |
     On 32-bit architectures, a malformed input to crypto/x509 or
     the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte
     can lead to a panic.

     The malformed certificate can be delivered via a crypto/tls
     connection to a client, or to a server that accepts client
     certificates. net/http clients can be made to crash by an HTTPS
     server, while net/http servers that accept client certificates
     will recover the panic and are unaffected.
 published: 2022-07-06T18:23:48Z
 cves:
   - CVE-2020-7919
 ghsas:
   - GHSA-cjjc-xp8v-855w
 credit: Project Wycheproof
 references:
   - fix: https://go.dev/cl/216680
   - fix: https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
   - fix: https://go.dev/cl/216677
   - report: https://go.dev/issue/36837
   - web: https://groups.google.com/g/golang-announce/c/Hsw4mHYc470
	modules:
	- module: std
	versions:
	- fixed: 1.12.16
	- introduced: 1.13.0
	fixed: 1.13.7
	vulnerable_at: 1.13.6
	packages:
	- package: crypto/x509
	- module: golang.org/x/crypto
	versions:
	- fixed: 0.0.0-20200124225646-8b5121be2f68
	vulnerable_at: 0.0.0-20200115085410-6d4e4cb37c7d
	packages:
	- package: golang.org/x/crypto/cryptobyte
	description: \|
	On 32-bit architectures, a malformed input to crypto/x509 or
	the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte
	can lead to a panic.

	The malformed certificate can be delivered via a crypto/tls
	connection to a client, or to a server that accepts client
	certificates. net/http clients can be made to crash by an HTTPS
	server, while net/http servers that accept client certificates
	will recover the panic and are unaffected.
	published: 2022-07-06T18:23:48Z
	cves:
	- CVE-2020-7919
	ghsas:
	- GHSA-cjjc-xp8v-855w
	credit: Project Wycheproof
	references:
	- fix: https://go.dev/cl/216680
	- fix: https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
	- fix: https://go.dev/cl/216677
	- report: https://go.dev/issue/36837
	- web: https://groups.google.com/g/golang-announce/c/Hsw4mHYc470