GO-2022-0166

Source
https://pkg.go.dev/vuln/GO-2022-0166
Import Source
https://vuln.go.dev/ID/GO-2022-0166.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0166
Aliases
Published
2022-05-24T22:06:33Z
Modified
2024-05-20T16:03:47Z
Summary
Denial of service due to unchecked parameters in crypto/dsa
Details

The Verify function in crypto/dsa passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability.

References
Credits
    • David Wong

Affected packages

Go / stdlib

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.4
Introduced
1.6.0-0
Fixed
1.6.1

Ecosystem specific

{
    "imports": [
        {
            "path": "crypto/dsa",
            "symbols": [
                "Verify"
            ]
        }
    ]
}