GHSA-78hx-gp6g-7mj6

Suggest an improvement
Source
https://github.com/advisories/GHSA-78hx-gp6g-7mj6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-78hx-gp6g-7mj6/GHSA-78hx-gp6g-7mj6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-78hx-gp6g-7mj6
Aliases
Published
2024-03-20T18:10:36Z
Modified
2024-10-22T14:21:14Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Memory leaks in code encrypting and verifying RSA payloads
Details

Using crafted public RSA keys which are not compliant with SP 800-56B can cause a small memory leak when encrypting and verifying payloads.

An attacker can leverage this flaw to gradually erode available memory to the point where the host crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.

Database specific
{
    "nvd_published_at": "2024-03-21T13:00:08Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-401"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-20T18:10:36Z"
}
References

Affected packages

Go / github.com/golang-fips/go

Package

Name
github.com/golang-fips/go
View open source insights on deps.dev
Purl
pkg:golang/github.com/golang-fips/go

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.22.1

Go / github.com/golang-fips/openssl/v2

Package

Name
github.com/golang-fips/openssl/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/golang-fips/openssl/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.1

Database specific

{
    "last_known_affected_version_range": "<= 2.0.0"
}

Go / github.com/microsoft/go-crypto-openssl

Package

Name
github.com/microsoft/go-crypto-openssl
View open source insights on deps.dev
Purl
pkg:golang/github.com/microsoft/go-crypto-openssl

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.2.8

Go / github.com/microsoft/go-crypto-openssl/openssl

Package

Name
github.com/microsoft/go-crypto-openssl/openssl
View open source insights on deps.dev
Purl
pkg:golang/github.com/microsoft/go-crypto-openssl/openssl

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.2.9

Database specific

{
    "last_known_affected_version_range": "<= 0.2.8"
}