reports/GO-2020-0013.toml - vulndb - Git at Google

 package = "golang.org/x/crypto/ssh"

 description = """
 By default host key verification is disabled which allows for
 man-in-the-middle attacks against SSH clients if
 [`ClientConfig.HostKeyCallback`] is not set.
 """

 cve = "CVE-2017-3204"

 credit = "Phil Pennock"

 symbols = ["NewClientConn"]

 [[versions]]
 fixed = "v0.0.0-20170330155735-e4e2799dd7aa"

 [links]
 pr = "https://go-review.googlesource.com/38701"
 commit = "https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991"
 context = [
     "https://github.com/golang/go/issues/19767",
     "https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/"
 ]
	package = "golang.org/x/crypto/ssh"

	description = """
	By default host key verification is disabled which allows for
	man-in-the-middle attacks against SSH clients if
	[`ClientConfig.HostKeyCallback`] is not set.
	"""

	cve = "CVE-2017-3204"

	credit = "Phil Pennock"

	symbols = ["NewClientConn"]

	[[versions]]
	fixed = "v0.0.0-20170330155735-e4e2799dd7aa"

	[links]
	pr = "https://go-review.googlesource.com/38701"
	commit = "https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991"
	context = [
	"https://github.com/golang/go/issues/19767",
	"https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/"
	]