GoogleOSV:GHSA-3VM4-22FP-5RFMgolang.org/x/crypto/ssh NULL Pointer Dereference vulnerability
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.005 Low
EPSS
Percentile
77.0%
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. An attacker can craft an authentication request message for the gssapi-with-mic method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.
| CPE | Name | Operator | Version |
|---|---|---|---|
| golang.org/x/crypto | lt | 0.0.0-20201216223049-8b5274cf687f |
References
go-review.googlesource.com/c/crypto/+/278852
go.dev/cl/278852
go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e8
groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2020-29652
pkg.go.dev/vuln/GO-2021-0227
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.005 Low
EPSS
Percentile
77.0%