GO-2022-0968

Source
https://storage.googleapis.com/go-vulndb/ID/GO-2022-0968.json
Aliases
Published
2022-09-13T03:32:38Z
Modified
2022-09-21T19:50:49Z
Details

Unauthenticated clients can cause a panic in SSH servers.

When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic.

References

Affected packages

Go / golang.org/x/crypto

golang.org/x/crypto

Affected ranges

Type
SEMVER
Events
Introduced
0
Fixed
0.0.0-20211202192323-5770296d904e

Affected versions

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "Dial",
                "NewClientConn",
                "NewServerConn",
                "chacha20Poly1305Cipher.readCipherPacket",
                "gcmCipher.readCipherPacket"
            ],
            "path": "golang.org/x/crypto/ssh"
        }
    ]
}

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2022-0968"
}