data/reports/GO-2022-0191.yaml - vulndb - Git at Google

 id: GO-2022-0191
 modules:
     - module: std
       versions:
         - fixed: 1.10.6
         - introduced: 1.11.0-0
           fixed: 1.11.3
       vulnerable_at: 1.11.2
       packages:
         - package: crypto/x509
           symbols:
             - CertPool.findVerifiedParents
             - Certificate.buildChains
 summary: Denial of service in chain verification in crypto/x509
 description: |-
     The crypto/x509 package does not limit the amount of work performed for each
     chain verification, which might allow attackers to craft pathological inputs
     leading to a CPU denial of service. Go TLS servers accepting client certificates
     and TLS clients verifying certificates are affected.
 published: 2022-07-15T23:03:26Z
 cves:
     - CVE-2018-16875
 credits:
     - Netflix
 references:
     - fix: https://go.dev/cl/154105
     - fix: https://go.googlesource.com/go/+/770130659b6fb2acf271476579a3644e093dda7f
     - report: https://go.dev/issue/29233
     - web: https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0
	id: GO-2022-0191
	modules:
	- module: std
	versions:
	- fixed: 1.10.6
	- introduced: 1.11.0-0
	fixed: 1.11.3
	vulnerable_at: 1.11.2
	packages:
	- package: crypto/x509
	symbols:
	- CertPool.findVerifiedParents
	- Certificate.buildChains
	summary: Denial of service in chain verification in crypto/x509
	description: \|-
	The crypto/x509 package does not limit the amount of work performed for each
	chain verification, which might allow attackers to craft pathological inputs
	leading to a CPU denial of service. Go TLS servers accepting client certificates
	and TLS clients verifying certificates are affected.
	published: 2022-07-15T23:03:26Z
	cves:
	- CVE-2018-16875
	credits:
	- Netflix
	references:
	- fix: https://go.dev/cl/154105
	- fix: https://go.googlesource.com/go/+/770130659b6fb2acf271476579a3644e093dda7f
	- report: https://go.dev/issue/29233
	- web: https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0