Damien Neil | ea89353 | 2022-09-13 15:40:34 -0700 | [diff] [blame] | 1 | { |
Tatiana Bradley | 264b406 | 2023-03-31 16:44:23 -0400 | [diff] [blame] | 2 | "schema_version": "1.3.1", |
Damien Neil | ea89353 | 2022-09-13 15:40:34 -0700 | [diff] [blame] | 3 | "id": "GO-2022-0229", |
Damien Neil | ea89353 | 2022-09-13 15:40:34 -0700 | [diff] [blame] | 4 | "modified": "0001-01-01T00:00:00Z", |
Tatiana Bradley | 264b406 | 2023-03-31 16:44:23 -0400 | [diff] [blame] | 5 | "published": "2022-07-06T18:23:48Z", |
Damien Neil | ea89353 | 2022-09-13 15:40:34 -0700 | [diff] [blame] | 6 | "aliases": [ |
| 7 | "CVE-2020-7919", |
| 8 | "GHSA-cjjc-xp8v-855w" |
| 9 | ], |
Tatiana Bradley | 4d4a361 | 2023-06-06 14:13:32 -0400 | [diff] [blame] | 10 | "summary": "Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte", |
Tatiana Bradley | e21719c | 2022-10-05 12:05:17 -0400 | [diff] [blame] | 11 | "details": "On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.\n\nThe malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.", |
Damien Neil | ea89353 | 2022-09-13 15:40:34 -0700 | [diff] [blame] | 12 | "affected": [ |
| 13 | { |
| 14 | "package": { |
| 15 | "name": "stdlib", |
| 16 | "ecosystem": "Go" |
| 17 | }, |
| 18 | "ranges": [ |
| 19 | { |
| 20 | "type": "SEMVER", |
| 21 | "events": [ |
| 22 | { |
| 23 | "introduced": "0" |
| 24 | }, |
| 25 | { |
| 26 | "fixed": "1.12.16" |
| 27 | }, |
| 28 | { |
Tatiana Bradley | 69f5b83 | 2023-05-10 17:12:22 -0400 | [diff] [blame] | 29 | "introduced": "1.13.0-0" |
Damien Neil | ea89353 | 2022-09-13 15:40:34 -0700 | [diff] [blame] | 30 | }, |
| 31 | { |
| 32 | "fixed": "1.13.7" |
| 33 | } |
| 34 | ] |
| 35 | } |
| 36 | ], |
Damien Neil | ea89353 | 2022-09-13 15:40:34 -0700 | [diff] [blame] | 37 | "ecosystem_specific": { |
| 38 | "imports": [ |
| 39 | { |
| 40 | "path": "crypto/x509" |
| 41 | } |
| 42 | ] |
| 43 | } |
| 44 | }, |
| 45 | { |
| 46 | "package": { |
| 47 | "name": "golang.org/x/crypto", |
| 48 | "ecosystem": "Go" |
| 49 | }, |
| 50 | "ranges": [ |
| 51 | { |
| 52 | "type": "SEMVER", |
| 53 | "events": [ |
| 54 | { |
| 55 | "introduced": "0" |
| 56 | }, |
| 57 | { |
| 58 | "fixed": "0.0.0-20200124225646-8b5121be2f68" |
| 59 | } |
| 60 | ] |
| 61 | } |
| 62 | ], |
Damien Neil | ea89353 | 2022-09-13 15:40:34 -0700 | [diff] [blame] | 63 | "ecosystem_specific": { |
| 64 | "imports": [ |
| 65 | { |
| 66 | "path": "golang.org/x/crypto/cryptobyte" |
| 67 | } |
| 68 | ] |
| 69 | } |
| 70 | } |
| 71 | ], |
| 72 | "references": [ |
| 73 | { |
| 74 | "type": "FIX", |
| 75 | "url": "https://go.dev/cl/216680" |
| 76 | }, |
| 77 | { |
| 78 | "type": "FIX", |
| 79 | "url": "https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574" |
| 80 | }, |
| 81 | { |
| 82 | "type": "FIX", |
| 83 | "url": "https://go.dev/cl/216677" |
| 84 | }, |
| 85 | { |
| 86 | "type": "REPORT", |
| 87 | "url": "https://go.dev/issue/36837" |
| 88 | }, |
| 89 | { |
| 90 | "type": "WEB", |
| 91 | "url": "https://groups.google.com/g/golang-announce/c/Hsw4mHYc470" |
| 92 | } |
Aaqa Ishtyaq | 4c80490 | 2022-10-01 19:40:57 +0530 | [diff] [blame] | 93 | ], |
| 94 | "credits": [ |
| 95 | { |
| 96 | "name": "Project Wycheproof" |
| 97 | } |
Maceo Thompson | 93f50fc | 2022-11-21 13:47:08 -0500 | [diff] [blame] | 98 | ], |
Tatiana Bradley | 264b406 | 2023-03-31 16:44:23 -0400 | [diff] [blame] | 99 | "database_specific": { |
Tatiana Bradley | 69d9a20 | 2024-05-14 15:19:00 -0400 | [diff] [blame] | 100 | "url": "https://pkg.go.dev/vuln/GO-2022-0229", |
| 101 | "review_status": "REVIEWED" |
Tatiana Bradley | 264b406 | 2023-03-31 16:44:23 -0400 | [diff] [blame] | 102 | } |
Damien Neil | ea89353 | 2022-09-13 15:40:34 -0700 | [diff] [blame] | 103 | } |