blob: b3235708a8f680de767804f34824b08917030059 [file] [log] [blame]
Damien Neilea893532022-09-13 15:40:34 -07001{
Tatiana Bradley264b4062023-03-31 16:44:23 -04002 "schema_version": "1.3.1",
Damien Neilea893532022-09-13 15:40:34 -07003 "id": "GO-2022-0229",
Damien Neilea893532022-09-13 15:40:34 -07004 "modified": "0001-01-01T00:00:00Z",
Tatiana Bradley264b4062023-03-31 16:44:23 -04005 "published": "2022-07-06T18:23:48Z",
Damien Neilea893532022-09-13 15:40:34 -07006 "aliases": [
7 "CVE-2020-7919",
8 "GHSA-cjjc-xp8v-855w"
9 ],
Tatiana Bradley4d4a3612023-06-06 14:13:32 -040010 "summary": "Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte",
Tatiana Bradleye21719c2022-10-05 12:05:17 -040011 "details": "On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.\n\nThe malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.",
Damien Neilea893532022-09-13 15:40:34 -070012 "affected": [
13 {
14 "package": {
15 "name": "stdlib",
16 "ecosystem": "Go"
17 },
18 "ranges": [
19 {
20 "type": "SEMVER",
21 "events": [
22 {
23 "introduced": "0"
24 },
25 {
26 "fixed": "1.12.16"
27 },
28 {
Tatiana Bradley69f5b832023-05-10 17:12:22 -040029 "introduced": "1.13.0-0"
Damien Neilea893532022-09-13 15:40:34 -070030 },
31 {
32 "fixed": "1.13.7"
33 }
34 ]
35 }
36 ],
Damien Neilea893532022-09-13 15:40:34 -070037 "ecosystem_specific": {
38 "imports": [
39 {
40 "path": "crypto/x509"
41 }
42 ]
43 }
44 },
45 {
46 "package": {
47 "name": "golang.org/x/crypto",
48 "ecosystem": "Go"
49 },
50 "ranges": [
51 {
52 "type": "SEMVER",
53 "events": [
54 {
55 "introduced": "0"
56 },
57 {
58 "fixed": "0.0.0-20200124225646-8b5121be2f68"
59 }
60 ]
61 }
62 ],
Damien Neilea893532022-09-13 15:40:34 -070063 "ecosystem_specific": {
64 "imports": [
65 {
66 "path": "golang.org/x/crypto/cryptobyte"
67 }
68 ]
69 }
70 }
71 ],
72 "references": [
73 {
74 "type": "FIX",
75 "url": "https://go.dev/cl/216680"
76 },
77 {
78 "type": "FIX",
79 "url": "https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574"
80 },
81 {
82 "type": "FIX",
83 "url": "https://go.dev/cl/216677"
84 },
85 {
86 "type": "REPORT",
87 "url": "https://go.dev/issue/36837"
88 },
89 {
90 "type": "WEB",
91 "url": "https://groups.google.com/g/golang-announce/c/Hsw4mHYc470"
92 }
Aaqa Ishtyaq4c804902022-10-01 19:40:57 +053093 ],
94 "credits": [
95 {
96 "name": "Project Wycheproof"
97 }
Maceo Thompson93f50fc2022-11-21 13:47:08 -050098 ],
Tatiana Bradley264b4062023-03-31 16:44:23 -040099 "database_specific": {
Tatiana Bradley69d9a202024-05-14 15:19:00 -0400100 "url": "https://pkg.go.dev/vuln/GO-2022-0229",
101 "review_status": "REVIEWED"
Tatiana Bradley264b4062023-03-31 16:44:23 -0400102 }
Damien Neilea893532022-09-13 15:40:34 -0700103}