GO-2022-0968

See a problem?
Source
https://pkg.go.dev/vuln/GO-2022-0968
Import Source
https://vuln.go.dev/ID/GO-2022-0968.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0968
Aliases
Published
2022-09-13T03:32:38Z
Modified
2024-05-20T16:03:47Z
Summary
Panic on malformed packets in golang.org/x/crypto/ssh
Details

Unauthenticated clients can cause a panic in SSH servers.

When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic.

References
Credits
    • Rod Hynes (Psiphon Inc)

Affected packages

Go / golang.org/x/crypto

Package

Name
golang.org/x/crypto
View open source insights on deps.dev
Purl
pkg:golang/golang.org/x/crypto

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.0-20211202192323-5770296d904e

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/crypto/ssh",
            "symbols": [
                "Dial",
                "NewClientConn",
                "NewServerConn",
                "chacha20Poly1305Cipher.readCipherPacket",
                "curve25519sha256.Client",
                "curve25519sha256.Server",
                "dhGEXSHA.Client",
                "dhGEXSHA.Server",
                "dhGroup.Client",
                "dhGroup.Server",
                "ecdh.Client",
                "ecdh.Server",
                "gcmCipher.readCipherPacket"
            ]
        }
    ]
}