data/reports/GO-2020-0013.yaml - vulndb - Git at Google

 id: GO-2020-0013
 modules:
     - module: golang.org/x/crypto
       versions:
         - fixed: 0.0.0-20170330155735-e4e2799dd7aa
       vulnerable_at: 0.0.0-20170317163734-459e26527287
       packages:
         - package: golang.org/x/crypto/ssh
           symbols:
             - NewClientConn
           derived_symbols:
             - Dial
 summary: Man-in-the-middle attack in golang.org/x/crypto/ssh
 description: |-
     By default host key verification is disabled which allows for man-in-the-middle
     attacks against SSH clients if ClientConfig.HostKeyCallback is not set.
 published: 2021-04-14T20:04:52Z
 cves:
     - CVE-2017-3204
 ghsas:
     - GHSA-xhjq-w7xm-p8qj
 credits:
     - Phil Pennock
 references:
     - fix: https://go.dev/cl/38701
     - fix: https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
     - report: https://go.dev/issue/19767
     - web: https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/
	id: GO-2020-0013
	modules:
	- module: golang.org/x/crypto
	versions:
	- fixed: 0.0.0-20170330155735-e4e2799dd7aa
	vulnerable_at: 0.0.0-20170317163734-459e26527287
	packages:
	- package: golang.org/x/crypto/ssh
	symbols:
	- NewClientConn
	derived_symbols:
	- Dial
	summary: Man-in-the-middle attack in golang.org/x/crypto/ssh
	description: \|-
	By default host key verification is disabled which allows for man-in-the-middle
	attacks against SSH clients if ClientConfig.HostKeyCallback is not set.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2017-3204
	ghsas:
	- GHSA-xhjq-w7xm-p8qj
	credits:
	- Phil Pennock
	references:
	- fix: https://go.dev/cl/38701
	- fix: https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
	- report: https://go.dev/issue/19767
	- web: https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/