blob: e7585b9ab3aa15f940403bbb92e41a194b9491f4 [file] [log] [blame]
id: GO-2022-0191
modules:
- module: std
versions:
- fixed: 1.10.6
- introduced: 1.11.0-0
- fixed: 1.11.3
vulnerable_at: 1.11.2
packages:
- package: crypto/x509
symbols:
- CertPool.findVerifiedParents
- Certificate.buildChains
summary: Denial of service in chain verification in crypto/x509
description: |-
The crypto/x509 package does not limit the amount of work performed for each
chain verification, which might allow attackers to craft pathological inputs
leading to a CPU denial of service. Go TLS servers accepting client certificates
and TLS clients verifying certificates are affected.
published: 2022-07-15T23:03:26Z
cves:
- CVE-2018-16875
credits:
- Netflix
references:
- fix: https://go.dev/cl/154105
- fix: https://go.googlesource.com/go/+/770130659b6fb2acf271476579a3644e093dda7f
- report: https://go.dev/issue/29233
- web: https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0
review_status: REVIEWED