blob: 0f0d1eaf0e7ee3538f744b74010035edd93df252 [file] [log] [blame]
id: GO-2021-0227
modules:
- module: golang.org/x/crypto
versions:
- fixed: 0.0.0-20201216223049-8b5274cf687f
vulnerable_at: 0.0.0-20201208171446-5f87f3452ae9
packages:
- package: golang.org/x/crypto/ssh
symbols:
- connection.serverAuthenticate
derived_symbols:
- NewServerConn
summary: Panic on crafted authentication request message in golang.org/x/crypto/ssh
description: |-
Clients can cause a panic in SSH servers. An attacker can craft an
authentication request message for the “gssapi-with-mic” method which will
cause NewServerConn to panic via a nil pointer dereference if
ServerConfig.GSSAPIWithMICConfig is nil.
published: 2022-02-17T17:35:32Z
cves:
- CVE-2020-29652
ghsas:
- GHSA-3vm4-22fp-5rfm
credits:
- Joern Schneewesiz (GitLab Security Research Team)
references:
- fix: https://go.dev/cl/278852
- fix: https://go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e8
- web: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
review_status: REVIEWED