GO-2022-0968

Source

https://pkg.go.dev/vuln/GO-2022-0968

Import Source

https://vuln.go.dev/ID/GO-2022-0968.json

Aliases

CVE-2021-43565
GHSA-gwc9-m7rh-j2ww

Published

2022-09-13T03:32:38Z

Modified

2024-04-26T21:22:33Z

Details

Unauthenticated clients can cause a panic in SSH servers.

When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic.

References

Affected packages

Go / golang.org/x/crypto

Package

Name: golang.org/x/crypto

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

0.0.0-20211202192323-5770296d904e

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/crypto/ssh",
            "symbols": [
                "Dial",
                "NewClientConn",
                "NewServerConn",
                "chacha20Poly1305Cipher.readCipherPacket",
                "curve25519sha256.Client",
                "curve25519sha256.Server",
                "dhGEXSHA.Client",
                "dhGEXSHA.Server",
                "dhGroup.Client",
                "dhGroup.Server",
                "ecdh.Client",
                "ecdh.Server",
                "gcmCipher.readCipherPacket"
            ]
        }
    ]
}